Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.help > #2750 > unrolled thread
| Started by | isuy <isuy@socal.rr.com> |
|---|---|
| First post | 2013-08-12 09:23 -0700 |
| Last post | 2013-08-12 10:16 -0700 |
| Articles | 2 — 2 participants |
Back to article view | Back to comp.lang.java.help
Can a session created in a secured domain be detected in a non-secured domain? isuy <isuy@socal.rr.com> - 2013-08-12 09:23 -0700
Re: Can a session created in a secured domain be detected in a non-secured domain? Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-08-12 10:16 -0700
| From | isuy <isuy@socal.rr.com> |
|---|---|
| Date | 2013-08-12 09:23 -0700 |
| Subject | Can a session created in a secured domain be detected in a non-secured domain? |
| Message-ID | <kub263$m49$1@dont-email.me> |
Hi, I am writing a shopping cart using Java servlet and I have a question. Let say I have a servlet "MyAccount" in 8443 port which is secured. I created a session there, but session.getSession(false) from other program in 8080 port which is not secured returns null. Is this the way it is or is it that I am doing something wrong? Thank you for your time.
[toc] | [next] | [standalone]
| From | Daniel Pitts <newsgroup.nospam@virtualinfinity.net> |
|---|---|
| Date | 2013-08-12 10:16 -0700 |
| Message-ID | <zL8Ot.153720$726.18885@fx06.iad> |
| In reply to | #2750 |
On 8/12/13 9:23 AM, isuy wrote: > Hi, I am writing a shopping cart using Java servlet and I have a question. > > Let say I have a servlet "MyAccount" in 8443 port which is secured. I > created a session there, but session.getSession(false) from other > program in 8080 port which is not secured returns null. > > Is this the way it is or is it that I am doing something wrong? > > > Thank you for your time. Sessions are often correlated by cookie. For security, that cookie should never be sent "in the clear" or in plain-text, and therefor should always be sent via https. If you need to present information to a user which is in a secure session, then the request should be https. You may be able to do this via AJAX, if only part of your page needs to be https. Depending on the scale of your site, though, it may be better to do the whole page https when the user has a session. There are probably other work-arounds, but they may compromise security unless implemented by a web-based software security professional.
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.java.help
csiph-web