>The problem is, that if you keep the same session id after you switch to >https it >is possible that somebody steals your secure session. The only
That's true. At least in theory, and some crackers might come pretty close. Dump sniffers and traffic loggers cannot read your data with SSL, but a real-time intelligent human connected to the cable will get you. As a consequence, switching from https to http and back is about equally secure as not using SSL at all. So you are shooting yourself in the foot by thinking that everything is safe, but your webapp is just one very big hole. Regards, Carsten -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>