"Harry Mantheakis" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hello Andreas > > > So maybe it would be a good idea to stick to SSL for that reason alone (and > > 'accidentally' save yourselve the trouble of having to solve your current > > problem). > > Yes, okay, I take your point. I would still like to know, for the record, > whether or not sessions are meant to be 'transferable' (so-to-speak) between > SSL and non-SSL requests. >
URL-rewriting sessions are not 'transferable' as per the Servlet 2.3 Spec. Cookie session in Tomcat 3.3.2 and higher follow the rules: a) If you create the session with a non-SSL request, then it will be transfered back and forth between SSL and non-SSL (unless, of course, your browser chooses to not send the cookie :). b) If you create the session with a SSL request, then it won't be available for non-SSL requests. > (Off for a few hours now...) > > Regards > > Harry Mantheakis > London, UK > > > > Hello Harry, > > > >> I was getting users to log in using SSL, and then switching to non-SSL in > >> order to avoid the SSL overheads. (When I decided I could not 'hang on' to > >> the same session, I decided to stick with SSL permanently.) > > > > So you achieve to protect the password (which would otherwise be sent as > > clear text). But afterwards your sessions are more or less unprotected. > > Anyone sitting in the middle could grab a session and act as the previously > > logged-in user if he can observe just one request that is not encrypted. > > > > So maybe it would be a good idea to stick to SSL for that reason alone (and > > 'accidentally' save yourselve the trouble of having to solve your current > > problem). > > > > Greetings > > > > Andreas Mohrig > > > > -----Ursprungliche Nachricht----- > > Von: Harry Mantheakis [mailto:[EMAIL PROTECTED] > > Gesendet: Mittwoch, 12. November 2003 18:12 > > An: Tomcat Users List > > Betreff: Re: Sessions - SSL > > > > > > Hello Andreas > > > >> if you only want to protect the data that the > >> user sends to the server... > > > > I was getting users to log in using SSL, and then switching to non-SSL in > > order to avoid the SSL overheads. (When I decided I could not 'hang on' to > > the same session, I decided to stick with SSL permanently.) > > > >> Have you tried to encode the sessionid in the request-url with > >> response.encodeURL("TARGET-URL")?... > > > > I shall have to dig up the code to double-check, and it may take me a while, > > so please bear with me on that. > > > > Regards > > > > Harry Mantheakis > > London, UK > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]