Re: switch between http and https. how?
On Thu, 25 Oct 2001, Taavi Tiirik wrote: Date: Thu, 25 Oct 2001 16:36:35 +0200 From: Taavi Tiirik [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: switch between http and https. how? I have Tomcat 4 running fine with both http and https protocols. I would like to use http for serving most of the documents and only j_security_check (form based login) should be done over https. How can I configure this? There is no way to configure this. Furthermore, it would be unsafe to rely on this for any sort of security. Consider the fact that the session id cookie is still transmitted in clear text, so anyone snooping on the network could easily swipe your session id (and thus impersonate that user for as long as the session remained alive), even though they could not see the password because it was encrypted. with best wishes, Taavi Craig
RE: switch between http and https. how?
I have Tomcat 4 running fine with both http and https protocols. I would like to use http for serving most of the documents and only j_security_check (form based login) should be done over https. How can I configure this? There is no way to configure this. Thanks, Craig! Now I am a bit lost. Would it make sense then to have a whole site served over https? What are the best practices of secureing login information as well as session id cookie? with best wishes, Taavi
RE: switch between http and https. how?
On Fri, 26 Oct 2001, Taavi Tiirik wrote: Date: Fri, 26 Oct 2001 17:16:19 +0200 From: Taavi Tiirik [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: switch between http and https. how? I have Tomcat 4 running fine with both http and https protocols. I would like to use http for serving most of the documents and only j_security_check (form based login) should be done over https. How can I configure this? There is no way to configure this. Thanks, Craig! Now I am a bit lost. Would it make sense then to have a whole site served over https? If you are concerned about someone hijacking your session, that's pretty much the only choice. What are the best practices of secureing login information as well as session id cookie? with best wishes, Taavi Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
switch between http and https. how?
I have Tomcat 4 running fine with both http and https protocols. I would like to use http for serving most of the documents and only j_security_check (form based login) should be done over https. How can I configure this? with best wishes, Taavi
