HTTPS for login-page, HTTP for other pages

[borras]

Hi all,
I use spring securtity 3.0.2 and I want to log in my web application via https. But once I logged in, I want to return in http. When I log in https and I return in http I'm no more logged!
I read this faq that talks about my problem but I don't understand how to proceed.
This is my test config:

Code:

<intercept-url pattern="/login.html" requires-channel="https"/>
<intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
<intercept-url pattern="/securitySimple.html" access="ROLE_USER" requires-channel="http"/> 
<intercept-url pattern="/**"   requires-channel="http" />
<form-login login-page='/login.html' />

Thanks.

[Luke Taylor]

It's generally recommended that you stay in HTTPS once you are logged in. Your app won't really be secure otherwise.

[alexrob]

Luke,
While you are right it won't be completely secure if allow switching back to HTTP (as the session could be hijacked by stealing the session ID on HTTP), isn't the question worth answering as this may be a valid scenario. Imagine a site where you want a secure login, but the user can then browse product pages which do not need to be secured (and should not be for better performance). I guess you need to be aware that the session is not secure after switching back to HTTP, so you shouldn't allow the user to modify their account, buy products, change their password, etc, until they have relogged-in securely.
Is the answer then contained in that FAQ? That you should first create a session in HTTP?

Alex

[Luke Taylor]

There are lots of potential attacks against HTTPS, and I don't really know what they all are in detail. I just know that the advice from people who do know is that to be completely secure, the end user should start their access in HTTPS and should remain in it throughout. HTTP is the weakpoint which can allow an attacker to slot in a MITM attack

See this video on sslstrip and related attacks, for example.

[paolocollector]

Sorry for reopening this old thread, but i've been looking for two days everywhere for a solution without finding it.
I really need to get an https login and most of the rest in http (I dont write requirements), but i'm facing the problem described in faq-tomcat-https-session

"Starting a session in HTTP first should work as the session cookie won't be marked as secure."
Question: how can I start a session in http first?
I want the user to be logged in before doing anything else.

I tried many combinations in the configuration file: this one sends me to an https login page but does not remember the session, as described in the faq

<intercept-url pattern="/login.xhtml" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
<intercept-url pattern="/j_spring_security_check" requires-channel="https"/>


Can please anybody help?

Paolo

[Rob Winch]

Before I tell you how to do this, I'd like to reiterate what Luke said. Using http after authentication has occured should not be done. I understand you do not make requirements, but it is good to educate those who make requirements so that they can make an informed decision; after all, you are the expert. Insufficient Transport Layer Protection is on the OWASP Top 10 Security Issues, so changing to HTTP after login makes your application an ideal target. Below is a quote from OWASP:

Applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception.

Question: how can I start a session in http first?

In order to ensure a session is created over HTTP and not HTTPS you can create a custom filter

• The filter should intercept every request.
• First it checks to see if the session has already been created using HttpServletRequest.getSession(false) != null. If a session exists, the filterchain continues without any processing done by the custom filter.
• If the session has not been created it checks to see if the request came from http, if it has it creates a new session using HttpServletRequest.getSession() and continues the filterchain without further processing.
• If the session has not been created and the request is https redirect to http and do not continue the filterchain.

Note that you will probably have some issues using session fixation protection that is built into Spring Security, so you may need to customize this or disable it. Disabling session fixation protection has other negative security implications and I do not recommend doing it.

I want the user to be logged in before doing anything else.

You can create a session prior to being logged in, so this shouldn't be an issue.

HTH,