ok, I see your point. My approach is that I only use https to scramble the login request itself, so that a login password cannot be read,or sniffed, in clear text(it probably still can, if someone really, really tries). Nothing critical is stored in the http session itself. A lot of websites do something similar, where only the password part is secure, and subsequent pages are insecure. and to change password, the old one has to be entered. I guess I'm a bit of a loss for a better way to do this?? Any well known approaches out there?
-Henrik >From: Jacob Kjome <[EMAIL PROTECTED]> >Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> >To: "Tomcat Users List" <[EMAIL PROTECTED]> >Subject: Re: problem with session tracking and redirection http<---> https >Date: Wed, 16 Oct 2002 23:33:41 -0500 > > >This is the way Tomcat 4.x.x is made to work. The reason for this is >security. I think it can be assumed that you were under https for a >reason. Maybe you entered your cedit card info and are storing that in the >session until the final submit. Now, if you stayed in the same session >when moving to http from https, your session id is in plain text. This can >be hijacked by anyone sniffing network packets. Once they have your >session id, theoreticaly, they have full access to everything you entered >in that session including your credit card info. This is a *huge* security >issue and Tomcat. Even if Tomcat-3.3.x allows you to do this, you would be >wise to dump the session on your own before moving to http for your users' >security. > >Obviously, this requires that you rethink some of your application flow, >but Tomcat-4.x.x is doing the right thing here. > >Jake > >At 02:28 AM 10/17/2002 +0000, you wrote: >>Help! >> >>I recently tried to upgrade my version of Tomcat from 3.3 to 4.1(I also >>tried 4.0). My problem is that for some reason the httpsession is lost >>after redirection from https to http. I run apache in front of tomcat to >>handle static content plus certificate. My webapp depend on the ability to >>login a user of secure connection then redirect to an unsecure connection. >>I do the usual >>res.sendRedirect(res.encodeRedirectURL.....)). But after redirecting to >>http protocol (to the same webapp context) the http session is null. >>My webapp workes fine in Tomcat 3.3. Nothing has changed except tomcat >>version and of course the tomcat conf. files. I've tried both the Coyote >>connector and the ajp13 one. mod_jk and mod_jk2(which I couldn't get >>working) on the apache side. I've tried Apache 1.3 and Apache 2. And I am >>going insane. >>My server.xml file is close to the default one, I've only added my >>context(defining docbase and such). For 3.3 this worked like a charm. >>Anyone?? >> >>-Henrik >> >> >>_________________________________________________________________ >>Protect your PC - get McAfee.com VirusScan Online >>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 >> >> >>-- >>To unsubscribe, e-mail: >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >><mailto:[EMAIL PROTECTED]> _________________________________________________________________ Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
