Well, obviously the only thing being protected here is the login and password, user activity after the login will be open to snooping, hijacking, etc. So here's what I think you should do.
1) User logs in through ssl. 2) After a successful login, (still ssl, don't put anything session yet) pass the user's ID and a one-way hashed version of their password to a non ssl page that authenticates this information and sets up their session. Dave > -----Original Message----- > From: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 09, 2002 9:19 AM > To: 'Tomcat Users List' > Subject: RE: SSL just for a login page > > > Hi > > Let me reply to a few of the emails. > > >>the problem is your own encryption isn't signed by a third > party, which > >>means if someone hack into your server, they could compromise the > >>security. > > wouldn't this still be a problem if my public key was signed by a CA?? > isn't the cert. for the client to verify who i am, this would > not effect the > SSL encryption?????? > > > >>Why don't you just build your redirect after they log in. > >> > >> response.sendRedirect("http://"; + request.getHostName() + > "/myApp/home.jsp"); > > i have tried this. What i am doing is using the login to set > up a session > and adding a attribute to this session. Every jsp checks the > session for > this object to verify that the user has logged in, if they > have not or they > have logged out the user is unable to bookmark or go backward into the > website. Using the redirect like this some how interferes > with the session > and messes up the checking. I am not sure why this happens????? > > > Glen > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
