The problem is that jumping from HTTPS to HTTP pretty much invalidates the entire point of HTTPS.
You're probably using HTTPS to hide the password from someone sniffing packets. The problem is that once someone is logged in, you need to send back some kind of session info to track the user. You need to do this for every request (typically the cookie from the client). When you switch back to HTTP, that session information is sent in the clear, and a Man In The Middle can sniff THAT information, and essentially "take over" the session. Thus, defeating the security in the first place. So, once in HTTPS, you should stick with it. Regards, Will Hartung ([EMAIL PROTECTED]) ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
