Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] HTTPS to HTTP cookie issue(cookie config issue when switching between https and http)
From this thread (  https://github.com/eclipse/jetty.project/issues/3173 ) and its discussion, We understand that the recent behavior is as per Servlet Spec but we really wanted to know the reason why this kind of requirement was stipulated in the Spec. Say for example, Was there any vulnerability reported earlier ? Or Is it stipulated for a security enhancement to avert specific attacks or hijacks ?

I have also updated this thread with detailed information,please provide your comments.



On Sun, Dec 2, 2018 at 8:03 PM Jan Bartel <janb@xxxxxxxxxxx> wrote:
You might want to read issue https://github.com/eclipse/jetty.project/issues/3173 where we've been discussing HTTP/HTTPS session cookie configuration. 

The exact servlet spec behaviour is discussed in the above issue:  if <secure>true</secure>, then the cookie is marked as secure regardless of whether the cookie came from HTTP or HTTPs request;  if <secure>false</secure> then the cookie is marked as secure only if it came from HTTPs.  So I think you've misunderstood the sense of what <secure> means.

regards
Jan

On Sat, 1 Dec 2018 at 14:51, M. Sumanth <m.sumanth1995@xxxxxxxxx> wrote:
I have an issue when I login to my machine via HTTPS and then try to login via HTTP.
However, when I clear site data, I can successfully login via HTTP. The problem occur when I login via HTTPS --> logout --> login via HTTP - I can't login again unless I clear site data.
This behaviour is observed after upgrading from jetty 4.2.24 to jetty 9.2.25.

I have tried to fix this by making 'secure' cookie option as false, which is not working.

Am using Jetty 9.2.25 which has Servlet 3.1. I have below cookie configuration in my web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>

When I set this secure flag as true, it's working as expected. But when I set it as false as shown above and access https site, the secure flag is getting modified to true and I am not able to access http site. I don't understand how is this happening? Is this the default behaviour of jetty 9.2.25 or servlet 3.1? I tried to check the Servlet release notes, but there's no such update. pl. provide any documentation links if this behaviour has been recorded as any update.

Any idea regarding this behaviour?

How can I make the secure as false when I access https by default or how to override this flag when I come back to http?

Thanks in advance.
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev

Back to the top