4

As far as I understand, when the user logs in Spring Security invalidate the Session and creates a new one.
So if I come from http with a clear sessionID cookie Spring Security should set a new sessionID 'secure' cookie that will be send back by the browser only on subsequent https requests.
What I'm missing is when the 'logged-in' user switch from https to http than there must be a sessionID cookie stored somewhere as non secure cookie to keep track of the Session.
I don't understand how Spring manages that.
After the user is logged in if he browse to http is then the clear sessionID cookie the same as the secure SessionID and is it than visible to the world? Somebody can read that and hijack the session.
I don't understand the Spring Security flow can somebody explain me how does it work?
Thanks

AstroCB
  • 12,337
  • 20
  • 57
  • 73
mickthompson
  • 5,442
  • 11
  • 47
  • 59

1 Answers1

0

Its best not to mix HTTP and HTTPS sessions for that very reason you described. In fact it seems logging in over HTTPS then dropping back to HTTP wont work (as the browser wont send the secured session cookie).

[...] sessions created under HTTPS, for which the session cookie is marked as “secure”, cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure (you will also have to disable Spring Security's Session Fixation Protection support to prevent it from creating a new secure session on login (you can always create a new session yourself at a later stage). Note that switching between HTTP and HTTPS is not a good idea in general, as any application which uses HTTP at all is vulnerable to man-in-the-middle attacks. To be truly secure, the user should begin accessing your site in HTTPS and continue using it until they log out. Even clicking on an HTTPS link from a page accessed over HTTP is potentially risky.

From http://static.springsource.org/spring-security/site/faq.html

Sig
  • 4,988
  • 3
  • 28
  • 29