Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.help > #2751

Re: Can a session created in a secured domain be detected in a non-secured domain?

From Daniel Pitts <newsgroup.nospam@virtualinfinity.net>
Newsgroups comp.lang.java.help
Subject Re: Can a session created in a secured domain be detected in a non-secured domain?
References <kub263$m49$1@dont-email.me>
Message-ID <zL8Ot.153720$726.18885@fx06.iad> (permalink)
Date 2013-08-12 10:16 -0700

Show all headers | View raw

On 8/12/13 9:23 AM, isuy wrote:
> Hi, I am writing a shopping cart using Java servlet and I have a question.
>
> Let say I have a servlet "MyAccount" in 8443 port which is secured. I
> created a session there, but session.getSession(false) from other
> program in 8080 port which is not secured returns null.
>
> Is this the way it is or is it that I am doing something wrong?
>
>
> Thank you for your time.
Sessions are often correlated by cookie. For security, that cookie 
should never be sent "in the clear" or in plain-text, and therefor 
should always be sent via https.

If you need to present information to a user which is in a secure 
session, then the request should be https.  You may be able to do this 
via AJAX, if only part of your page needs to be https.

Depending on the scale of your site, though, it may be better to do the 
whole page https when the user has a session.

There are probably other work-arounds, but they may compromise security 
unless implemented by a web-based software security professional.

Back to comp.lang.java.help | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

Can a session created in a secured domain be detected in a non-secured domain? isuy <isuy@socal.rr.com> - 2013-08-12 09:23 -0700
  Re: Can a session created in a secured domain be detected in a non-secured domain? Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-08-12 10:16 -0700

csiph-web