Discussion:
Can a session created in a secured domain be detected in a non-secured domain?
(too old to reply)
isuy
2013-08-12 16:23:29 UTC
Permalink
Hi, I am writing a shopping cart using Java servlet and I have a question.

Let say I have a servlet "MyAccount" in 8443 port which is secured. I
created a session there, but session.getSession(false) from other
program in 8080 port which is not secured returns null.

Is this the way it is or is it that I am doing something wrong?


Thank you for your time.
Daniel Pitts
2013-08-12 17:16:27 UTC
Permalink
Post by isuy
Hi, I am writing a shopping cart using Java servlet and I have a question.
Let say I have a servlet "MyAccount" in 8443 port which is secured. I
created a session there, but session.getSession(false) from other
program in 8080 port which is not secured returns null.
Is this the way it is or is it that I am doing something wrong?
Thank you for your time.
Sessions are often correlated by cookie. For security, that cookie
should never be sent "in the clear" or in plain-text, and therefor
should always be sent via https.

If you need to present information to a user which is in a secure
session, then the request should be https. You may be able to do this
via AJAX, if only part of your page needs to be https.

Depending on the scale of your site, though, it may be better to do the
whole page https when the user has a session.

There are probably other work-arounds, but they may compromise security
unless implemented by a web-based software security professional.
Loading...