Thanks much for the tip -- I have to disagree about this not being a necessary change. There are plenty of apps where people browse without a secure connection, but have to log in to perform some functions. Users like to bookmark pages -- why should I force them to bookmark only non-secure pages? Giving a developer control over how session cookies function is better than forcing a hack where you have to always redirect to a non-secure page to establish the session. If you are writing an application where the session data is so sensitive that you have to protect against session hijacking, you should know about the difference between secure and non-secure cookies. I've got no problem if the default behavior uses secure cookies when ever possible, but change the "Session uses cookie" parameter to have a flag that allows session cookies to always be non-secure.http://nagoya.apache.org/bugzilla. However, there aren't very many developers who like the idea of allowing you to hang yourself :).
Andrew,
what reason is there for preventing users from bookmarking secure pages? I don't follow you there.
Also, as far as I can see, the java community has decided that once you start a secure session, you should stay in a secure session, for various security reasons. Are you doing a secure login and then redirecting back to http afterwards?
Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
