Hello Harry, sorry, I did not want to press this point too much. And for the record: My tomcat works that way. Anything placed in session-scope remains present between different requests made with http and https, even the authenticated user. The only thing I noticed has been a caching issue, where my browser produced an old page with http out of the cache although it should show something different and did the request before with https.
Greetings (Off now, too ;-) Andreas Mohrig -----Ursprungliche Nachricht----- Von: Harry Mantheakis [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 12. November 2003 18:29 An: Tomcat Users List Betreff: Re: Sessions - SSL Hello Andreas > So maybe it would be a good idea to stick to SSL for that reason alone (and > 'accidentally' save yourselve the trouble of having to solve your current > problem). Yes, okay, I take your point. I would still like to know, for the record, whether or not sessions are meant to be 'transferable' (so-to-speak) between SSL and non-SSL requests. (Off for a few hours now...) Regards Harry Mantheakis London, UK > Hello Harry, > >> I was getting users to log in using SSL, and then switching to non-SSL in >> order to avoid the SSL overheads. (When I decided I could not 'hang on' to >> the same session, I decided to stick with SSL permanently.) > > So you achieve to protect the password (which would otherwise be sent as > clear text). But afterwards your sessions are more or less unprotected. > Anyone sitting in the middle could grab a session and act as the previously > logged-in user if he can observe just one request that is not encrypted. > > So maybe it would be a good idea to stick to SSL for that reason alone (and > 'accidentally' save yourselve the trouble of having to solve your current > problem). > > Greetings > > Andreas Mohrig > > -----Ursprungliche Nachricht----- > Von: Harry Mantheakis [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 12. November 2003 18:12 > An: Tomcat Users List > Betreff: Re: Sessions - SSL > > > Hello Andreas > >> if you only want to protect the data that the >> user sends to the server... > > I was getting users to log in using SSL, and then switching to non-SSL in > order to avoid the SSL overheads. (When I decided I could not 'hang on' to > the same session, I decided to stick with SSL permanently.) > >> Have you tried to encode the sessionid in the request-url with >> response.encodeURL("TARGET-URL")?... > > I shall have to dig up the code to double-check, and it may take me a while, > so please bear with me on that. > > Regards > > Harry Mantheakis > London, UK > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
