I have a web application which contains both secure (SSL) and non-secure pages. A

Question

0

Editorial Team

Asked: May 14, 20262026-05-14T03:56:42+00:00 2026-05-14T03:56:42+00:00

I have a web application which contains both secure (SSL) and non-secure pages. A

0

I have a web application which contains both secure (SSL) and non-secure pages.

A user can login to the site and must appear logged-in in both the SSL and non-SSL areas.

(NB. SSL isn’t implemented via Tomcat, but via Apache HTTPD servers which sit in front of Tomcat – so Tomcat has no SSL configuration.)

The logged-in state is currently maintained via a servlet session (using Tomcat’s vanilla session management).

The obvious issue with this approach is that the JSESSIONID cookie is transported over both HTTP and HTTPS connections, meaning that it’s potentially possible to intercept it and hijack the session.

Are there any solutions to this without rolling our own session management (i.e. does Tomcat cater for this situation)?

I’m prepared to implement our own session management, but don’t want to reinvent something that may already be supported.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-14T03:56:43+00:00

Editorial Team

2026-05-14T03:56:43+00:00Added an answer on May 14, 2026 at 3:56 am

You say the SSL is implemented on the Apache server and not passed down to Tomcat, so Tomcat treats the whole journey as HTTP? If so, Tomcat will not create separate JSESSIONIDs since it is not aware of the HTTPS.

You can check the request.getUserPrincipal() to see if user is logged-in.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a web application which contains both secure (SSL) and non-secure pages. A

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply