In J2EE, the Web Container generates two different session objects for different https and http requests. Therefore, if only some pages in the same Web application use SSL, ensure that the sessions between pages that use SSL and those that do not use SSL are continuously switched (that is, between https requests and http requests, you can transmit the sessionId in the accessed URL, that is, bind a sessionId to the URL that enters or exits https. For example, when switching from http to https, the URL is https: // xxx/login. do; jsessionid = <% = session. getId () %>, when switching from https to http: // xxx/xxx. do; jsessionid = <% = session. getId () %>. In this way, the Web Container will first obtain the session object based on this sessionid, instead of generating a new sessionid, so that the session remains unchanged during http and https switching (this method has been verified on Tomcat ).
The sessionid bound to the URL is prone to theft. To prevent the session from being hijacked, session authentication must be performed with the client IP address, that is, when the user logs on successfully, the session is passed. setAttribute ("clientIp", request. getRemoteAddr () saves the Client IP address. When authenticating the validity of a session, you must determine whether the client IP address is the Client IP address originally stored in the clientIP attribute of the session object, if not, the session is invalid.
Redirect http directly to https. Php is simpler:
<?phpheader("Location:https://www.bkjia.com");?>
When accessing http, skip https:
<? Php // convert http to https if ($ _ SERVER ["HTTPS"] <> "on") {$ xredir = "https ://". $ _ SERVER ["SERVER_NAME"]. $ _ SERVER ["REQUEST_URI"]; header ("Location :". $ xredir) ;}?>
When you access https, skip http:
<? Php // https to http if ($ _ SERVER ["HTTPS"] = "on") {$ xredir = "http ://". $ _ SERVER ["SERVER_NAME"]. $ _ SERVER ["REQUEST_URI"]; header ("Location :". $ xredir) ;}?>
Add the above Code at the beginning of the webpage.