[Building Sakai] tomcat sessions and https

[Adams, David]

Will Trillich wrote:
> That is, the establish-credentials stage is encrypted but the rest of
> the session isn't, as the session key includes the remote IP address
> or some such skullduggery to enable a secure session...

Are you asserting that this is how it works or asking? I don't think you
can rely on the client IP being stable or unique unless you have a very
restricted user base. Some ISPs use rotating proxy IPs, and some users
could be signed on simultaneously while sharing a single IP (a home
network, or many university computer labs).

> Found Glenn Golden's Sakai Sessions doc from 2005 (four years old!
> yikes!) but was hoping there's something more modern?

Most of the docs are this old, unfortunately, since they are often the
best source of information. I've found the sessions doc to be mostly
accurate, IIRC.

> Can a browser log in via HTTPS to establish session credentials, and
> then browse Sakai via HTTP?

I haven't tried this, but I think it could be managed. You'd need to
point the action property in any login forms to the https version of the
URL. And you'd need to make sure the JSESSIONID cookie wasn't set to
secure-sessions-only (see assureSession in
org.sakaiproject.util.RequestFilter (in 2.5 at least)). Finally, you'd
need to be sure the login code redirected the browser back to a non-SSL
URL. Depending on what method the login code uses to build the URL, it
might be no problem (if it uses the serverUrl property directly), or it
might depend on how you've got your HTTP stack configured (mainly, is
Tomcat aware if the request was made over SSL--it does if it's handling
the SSL or if you're using AJP or something). Sakai is not very
consistent or DRY about how it builds self-referential URLs.

-dave