Re: [Stripes-users] HTTPS to HTTP switching
ks best IMHO... you just have to decide how many rings you are going to have and how thick those rings need to be. When / where to use HTTPS is just one piece of the puzzle. HTH ;-) --Nikolaos Adam Stokar wrote: We've noticed a difference in performance on our servers using http vs https so figured if we could use some code to handle this issue vs upgrading our servers. I don't really agree that if you secure the site with a login that everything should be secure. Digg, for example, doesn't need to encrypt its news feed after you login because the information is not sensitive.Many sites I've seen have non-secure content after logging in. Was hoping there was an easy way to do it in Stripes but I guess not. On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy <[2]tst...@barclaycardus.com> wrote: Couldn't this "use case" also be addressed with OAuth? Where the Auth is performed over OAuth, but the site remains over HTTP (non-secure). I do agree 100% with Janne though, HTTPS is cheap. If the username/password, and the services provided by the webapp should be secure, make it secure 100% of the time, e.g., redirect to HTTPS immediately on hitting the site. Regards, Tim -Original Message- From: Janne Jalkanen [mailto:[3]janne.jalka...@ecyrd.com] Sent: Monday, January 31, 2011 9:48 AM To: Stripes Users List Subject: Re: [Stripes-users] HTTPS to HTTP switching > 1) Logging in. The login action should be https so username and > password are encrypted, but once i pass the login, the first page the > user sees does not need to be secure, hence switching from https to > http And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne - --- -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! [4]http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list [5]Stripes-users@lists.sourceforge.net [6]https://lists.sourceforge.net/lists/listinfo/stripes-users Barclays [7]www.barclaycardus.com This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. - - Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! [8]http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list [9]Stripes-users@lists.sourceforge.net [10]https://lists.sourceforge.net/lists/listinfo/stripes-users __ -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-fre e! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! [11]http://p.sf.net/sfu/arcsight-sfd2d __ ___ Stripes-users mailing list [12]Stripes-users@lists.sourceforge.net [13]https://lists.sourceforge.net/lists/listinfo/stripes-users -- Nikolaos Giannopoulos Director of Information Technology BrightMinds Software Inc. e. [14]nikol...@brightminds.org w. [15]www.brightminds.org t. 1.613.822.1700 c. 1.613.797.0036 f. 1.613.822.1915 -- Special Offer-- Download ArcSight Logger for FREE (a $49 U
Re: [Stripes-users] HTTPS to HTTP switching
urity bindings). > > But alas for most Internet sites today were a lot of traffic is > non-sensitive - as you point out - a 100% HTTPS OR a full blown Identity > platform - may indeed be overkill. Like anything else, Security is always a > trade-off of things, and a ring like layered approach works best IMHO... you > just have to decide how many rings you are going to have and how thick those > rings need to be. When / where to use HTTPS is just one piece of the > puzzle. > > HTH ;-) > > --Nikolaos > > > > Adam Stokar wrote: > > We've noticed a difference in performance on our servers using http vs > https so figured if we could use some code to handle this issue vs upgrading > our servers. I don't really agree that if you secure the site with a login > that everything should be secure. Digg, for example, doesn't need to > encrypt its news feed after you login because the information is not > sensitive.Many sites I've seen have non-secure content after logging > in. Was hoping there was an easy way to do it in Stripes but I guess not. > > On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy > wrote: > >> Couldn't this "use case" also be addressed with OAuth? Where the Auth is >> performed over OAuth, but the site remains over HTTP (non-secure). >> >> I do agree 100% with Janne though, HTTPS is cheap. If the >> username/password, and the services provided by the webapp should be >> secure, make it secure 100% of the time, e.g., redirect to HTTPS >> immediately on hitting the site. >> >> Regards, >> Tim >> >> -Original Message- >> From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com] >> Sent: Monday, January 31, 2011 9:48 AM >> To: Stripes Users List >> Subject: Re: [Stripes-users] HTTPS to HTTP switching >> >> > 1) Logging in. The login action should be https so username and >> > password are encrypted, but once i pass the login, the first page the >> > user sees does not need to be secure, hence switching from https to >> > http >> >> And that's exactly when your site stops being secure, and the user >> session can be hijacked, and your site is compromised. Facebook does >> login over https, yet the sessions can be hijacked. That's why they're >> rolling out the change... >> >> Please *do* seriously consider using https all the way after the user >> has logged in. You have very few real reasons why you shouldn't - https >> is very cheap these days with SSL-terminating loadbalancers and >> plenty-of-CPU power for decryption anyway. You're otherwise creating a >> fairly easy-to-exploit security hole in your system... (unless, of >> course, you can ensure that nobody ever uses your system over WiFi.) >> >> /Janne >> >> >> >> -- >> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> Finally, a world-class log management solution at an even better >> price-free! >> Download using promo code Free_Logger_4_Dev2Dev. Offer expires February >> 28th, so secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsight-sfd2d >> ___ >> Stripes-users mailing list >> Stripes-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/stripes-users >> >> >> >> Barclays www.barclaycardus.com >> >> This e-mail and any files transmitted with it may contain confidential >> and/or proprietary information. It is intended solely for the use of the >> individual or entity who is the intended recipient. Unauthorized use of this >> information is prohibited. If you have received this in error, please >> contact the sender by replying to this message and delete this material from >> any system it may be on. >> >> >> >> >> -- >> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> Finally, a world-class log management solution at an even better >> price-free! >> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >> February 28th, so secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsight-sfd2d >> ___ >> Stripes-users mailing list >> Stripes-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/stripes-users >> > > -- >
Re: [Stripes-users] HTTPS to HTTP switching
> upgrading our servers. I don't really agree that if you secure the site > with a login that everything should be secure. Digg, for example, > doesn't need to encrypt its news feed after you login because the > information is not sensitive.Many sites I've seen have non-secure > content after logging in. Was hoping there was an easy way to do it in If You gave a little thought to what Janne has written, it would be clear that it is pointless to use SSL for login page if the session id (or other authentication token) is then sent UNENCRYPTED with EACH subsequent request. It's not much more secure than relying on "?admin=true" in the URL. Just because "the big ones" do it, doesn't mean it's good -- perhaps in Digg case possibility of hijacking existing session is an acceptable tradeoff for performance, perhaps Facebook doesn't care about privacy, but You should consider it for Your application Yourself. What kind of damage can be done if someone steals one of user's session? Having SSL for login page and HTTP for all the rest only protects users from their password getting stolen, hackers can still steal their session, access their data and perhaps even change their passwords. Best regards -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] HTTPS to HTTP switching
noticed a difference in performance on our servers using http vs https so figured if we could use some code to handle this issue vs upgrading our servers. I don't really agree that if you secure the site with a login that everything should be secure. Digg, for example, doesn't need to encrypt its news feed after you login because the information is not sensitive.Many sites I've seen have non-secure content after logging in. Was hoping there was an easy way to do it in Stripes but I guess not. On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy mailto:tst...@barclaycardus.com>> wrote: Couldn't this "use case" also be addressed with OAuth? Where the Auth is performed over OAuth, but the site remains over HTTP (non-secure). I do agree 100% with Janne though, HTTPS is cheap. If the username/password, and the services provided by the webapp should be secure, make it secure 100% of the time, e.g., redirect to HTTPS immediately on hitting the site. Regards, Tim -Original Message- From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com <mailto:janne.jalka...@ecyrd.com>] Sent: Monday, January 31, 2011 9:48 AM To: Stripes Users List Subject: Re: [Stripes-users] HTTPS to HTTP switching > 1) Logging in. The login action should be https so username and > password are encrypted, but once i pass the login, the first page the > user sees does not need to be secure, hence switching from https to > http And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net <mailto:Stripes-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/stripes-users Barclays www.barclaycardus.com <http://www.barclaycardus.com> This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net <mailto:Stripes-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/stripes-users -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Nikolaos Giannopoulos Director of Information Technology BrightMinds Software Inc. e. nikol...@brightminds.org w. www.brightminds.org t. 1.613.822.1700 c. 1.613
Re: [Stripes-users] HTTPS to HTTP switching
We've noticed a difference in performance on our servers using http vs https so figured if we could use some code to handle this issue vs upgrading our servers. I don't really agree that if you secure the site with a login that everything should be secure. Digg, for example, doesn't need to encrypt its news feed after you login because the information is not sensitive.Many sites I've seen have non-secure content after logging in. Was hoping there was an easy way to do it in Stripes but I guess not. On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy wrote: > Couldn't this "use case" also be addressed with OAuth? Where the Auth is > performed over OAuth, but the site remains over HTTP (non-secure). > > I do agree 100% with Janne though, HTTPS is cheap. If the > username/password, and the services provided by the webapp should be > secure, make it secure 100% of the time, e.g., redirect to HTTPS > immediately on hitting the site. > > Regards, > Tim > > -Original Message- > From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com] > Sent: Monday, January 31, 2011 9:48 AM > To: Stripes Users List > Subject: Re: [Stripes-users] HTTPS to HTTP switching > > > 1) Logging in. The login action should be https so username and > > password are encrypted, but once i pass the login, the first page the > > user sees does not need to be secure, hence switching from https to > > http > > And that's exactly when your site stops being secure, and the user > session can be hijacked, and your site is compromised. Facebook does > login over https, yet the sessions can be hijacked. That's why they're > rolling out the change... > > Please *do* seriously consider using https all the way after the user > has logged in. You have very few real reasons why you shouldn't - https > is very cheap these days with SSL-terminating loadbalancers and > plenty-of-CPU power for decryption anyway. You're otherwise creating a > fairly easy-to-exploit security hole in your system... (unless, of > course, you can ensure that nobody ever uses your system over WiFi.) > > /Janne > > > > -- > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better > price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires February > 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > > > > Barclays www.barclaycardus.com > > This e-mail and any files transmitted with it may contain confidential > and/or proprietary information. It is intended solely for the use of the > individual or entity who is the intended recipient. Unauthorized use of this > information is prohibited. If you have received this in error, please > contact the sender by replying to this message and delete this material from > any system it may be on. > > > > > -- > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better > price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] HTTPS to HTTP switching
Couldn't this "use case" also be addressed with OAuth? Where the Auth is performed over OAuth, but the site remains over HTTP (non-secure). I do agree 100% with Janne though, HTTPS is cheap. If the username/password, and the services provided by the webapp should be secure, make it secure 100% of the time, e.g., redirect to HTTPS immediately on hitting the site. Regards, Tim -Original Message- From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com] Sent: Monday, January 31, 2011 9:48 AM To: Stripes Users List Subject: Re: [Stripes-users] HTTPS to HTTP switching > 1) Logging in. The login action should be https so username and > password are encrypted, but once i pass the login, the first page the > user sees does not need to be secure, hence switching from https to > http And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users Barclays www.barclaycardus.com This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] HTTPS to HTTP switching
> 1) Logging in. The login action should be https so username and password are > encrypted, but once i pass the login, the first page the user sees does not > need to be secure, hence switching from https to http And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] HTTPS to HTTP switching
Actually, many sites need this and do this today (Netflix for example). There are a few cases when you need to do this: 1) Logging in. The login action should be https so username and password are encrypted, but once i pass the login, the first page the user sees does not need to be secure, hence switching from https to http 2)If the user is already logged in and they need to edit billing info, the site must switch to https from http in order to capture that new billing info without losing the session information. I have done it before with Struts, so was wondering if Stripes had a cleaner technique. Can you show a simple example of using the ActionBeanContext to do this? See my below code that I used in Struts once the user logs in...I'm overwriting the current JSESSIONID cookie with a custom one. Cookie cookie = new Cookie("JSESSIONID", session.getId()); cookie.setDomain("mydomain.com"); cookie.setMaxAge(-1); // Life of the browser or timeout cookie.setSecure(false); String contextPath = request.getContextPath(); if ((contextPath != null) && (contextPath.length() > 0)) { cookie.setPath(contextPath); } else { cookie.setPath("/"); } response.addCookie(cookie); On Mon, Jan 31, 2011 at 2:46 AM, Janne Jalkanen wrote: > > I know this isn't particularly helpful, but if you do switch from https to > http AND keep the same session identifier, you *do* have a need for > encryption, and hence shouldn't be switching to http. > > The reason for this is that session id hijacking is ridiculously easy these > days, so having http and https mixed for the same domain is almost as good > as not having https in the first place. Check out Firesheep > http://codebutler.com/firesheep?c=1. Running it on any nearby open WiFi > network should get you a ton of Facebook logins in no time (of course, > actually using them would probably be illegal, depending on your > jurisdiction). You can even as an exercise script your own app into it and > see how easy it is to collect the user sessions... > > I'd say that that generating a new session ID is good design, not an issue > ;-) > > (Having said that, you could just use your own session tracking and your > own cookie. ActionBeanContext is very helpful in that regard; or you could > have a custom Filter to take care of it.) > > /Janne > > On 31 Jan 2011, at 02:42, Adam Stokar wrote: > > > As many of you know, there is an issue when you switch from https to http > due to a new session variable being generated for the non-secure request. > Has anyone found an easy way to handle this with Stripes? I would like a > way to say a certain ActionBean should force https (like editting billing > information) and others should force http if there isn't a need for > encryption. > > > > -- > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better > price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] HTTPS to HTTP switching
I know this isn't particularly helpful, but if you do switch from https to http AND keep the same session identifier, you *do* have a need for encryption, and hence shouldn't be switching to http. The reason for this is that session id hijacking is ridiculously easy these days, so having http and https mixed for the same domain is almost as good as not having https in the first place. Check out Firesheep http://codebutler.com/firesheep?c=1. Running it on any nearby open WiFi network should get you a ton of Facebook logins in no time (of course, actually using them would probably be illegal, depending on your jurisdiction). You can even as an exercise script your own app into it and see how easy it is to collect the user sessions... I'd say that that generating a new session ID is good design, not an issue ;-) (Having said that, you could just use your own session tracking and your own cookie. ActionBeanContext is very helpful in that regard; or you could have a custom Filter to take care of it.) /Janne On 31 Jan 2011, at 02:42, Adam Stokar wrote: > As many of you know, there is an issue when you switch from https to http due > to a new session variable being generated for the non-secure request. Has > anyone found an easy way to handle this with Stripes? I would like a way to > say a certain ActionBean should force https (like editting billing > information) and others should force http if there isn't a need for > encryption. -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
[Stripes-users] HTTPS to HTTP switching
As many of you know, there is an issue when you switch from https to http due to a new session variable being generated for the non-secure request. Has anyone found an easy way to handle this with Stripes? I would like a way to say a certain ActionBean should force https (like editting billing information) and others should force http if there isn't a need for encryption. -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users