Andrew, Couldn't agree more - I've just been round this circle myself.
I don't care if someone gets a session hijacked in my application, but I don't want passwords transferred over plain text, because people tend to use the same passwords in multiple applications. This application may not need to be completely bulletproof, but you can bet your bottom dollar that some users are using the same paswords as for stuff that does need to be bulletproof. Don't anyone say "well they shouldn't", because they do! :-) Andy -----Original Message----- From: Andrew Mottaz [mailto:[EMAIL PROTECTED] Sent: 17 November 2003 05:32 To: Tomcat Users List Subject: Re: https --> http session problem > > http://nagoya.apache.org/bugzilla. However, there aren't very many > developers who like the idea of allowing you to hang yourself :). > > > > Thanks much for the tip -- I have to disagree about this not being a necessary change. There are plenty of apps where people browse without a secure connection, but have to log in to perform some functions. Users like to bookmark pages -- why should I force them to bookmark only non-secure pages? Giving a developer control over how session cookies function is better than forcing a hack where you have to always redirect to a non-secure page to establish the session. If you are writing an application where the session data is so sensitive that you have to protect against session hijacking, you should know about the difference between secure and non-secure cookies. I've got no problem if the default behavior uses secure cookies when ever possible, but change the "Session uses cookie" parameter to have a flag that allows session cookies to always be non-secure. Just my two-cent rant :) Andrew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
