On Thu, 8 Aug 2002, Jose Francisco Junior wrote:
> Date: Thu, 08 Aug 2002 15:39:16 -0400
> From: Jose Francisco Junior <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: SSL Session x Non SSL Session Problem
>
> Please,
>
> Does anybody know anything about the problem below !!!
>
> I can't share an session object that was instatiated on a
> SSL connection with a NON SSL connection.
>
> I am trying to authenticate users using a SSL connection
> and after the authentication I forward the request to an
> Non-SSL connection but the session object is invalidated.
>
> How can I solve this problem ?
>
You really really really don't want to do that.
Once you switch back to non-SSL, the session id would be transmitted in
cleartext -- so anyone snooping on your network connection could easily
impersonate you. If the user's password is sensitive enough to protect,
the whole session should be as well. Otherwise, you'll just live under an
illusion of security.
> Thanks in advance,
> Junior
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
