Hi Shane, while I'm certainly happy that http<->https switching functionality is available (that's what I've been asking for) I was wondering if you implemented any security precautions because by switching from https back to http you open a security hole if you rely only on the jsessionid cookie / request parameter.
I.e: I login via https and get redirected - after correctly login in - to a http page. Now my sessionid was transmitted unencrypted and everyone who can listen to my network traffic can hijack my session simply by using the same sessionid (the only problem might be that the ips are different so the attacker has to be behind the same proxy). Any clarification please ;) ? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024422#4024422 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024422 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
