Geek Answers Handbook

Spring Security Cookies After User Login and Capture Session

As I understand it, when a user logs in to Spring Security, terminates the session and creates a new one.
So, if I come from http with a clear cookie sessionID Spring Security should set a new secure sessionID cookie, which will be sent back by the browser only on subsequent https requests.
What I am missing is when the user “logged in” switches from https to http, because the sessionID cookie should be stored there, which is stored somewhere as an insecure cookie in order to track the session.
I do not understand how this controls Spring.
After a user logs in, if he views http, then the ClearID Session cookie is the same as the secure SessionID, and is it visible to the whole world? Someone can read this and grab the session.
I don’t understand how Spring Security thread can someone explain to me how it works?
thanks

+4
source share
1 answer

It’s best not to mix HTTP and HTTPS sessions for this reason. In fact, it seems that registering with HTTPS and then returning to HTTP does not work (since the browser will not send a secure session cookie).

[...] sessions were created under HTTPS, for which the cookie session is marked as "secure", cannot subsequently be used over HTTP. the browser will not send the cookie back to the server and any session state will be lost (including security context information). Starting a session in HTTP should first work as a session cookie will not be marked as safe (you will also have to disable Spring Commit Security session Protective support to prevent creating a new secure session at login (you can always create a new session yourself at a later stage). Please note that switching between HTTP and HTTPS is not a good idea at all, since any application that uses HTTP is generally vulnerable to humans in the middle of an attack. s access to your site to HTTPS, and continue to use it as long as they come out. Even on HTTPS clicking the link to the page that is accessible by HTTP, potentially risky.

From http://static.springsource.org/spring-security/site/faq.html

0
source

More articles:


All Articles