On Fri, 18 Oct 2002, Henrik Bentel wrote:
> Date: Fri, 18 Oct 2002 23:07:17 +0000 > From: Henrik Bentel <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: problem with session tracking and redirection http<---> https > > > > yeah, I always encode the redirection URL. > it's waird that it works if the session is created which under http, but not > under https. > > bug maybe? > Nope ... avoidance of a huge security hole. Once a session is accessed via https, it should never ever be allowed to be accessed from http again. The reason for this is that the session id is transmitted in clear text, so anyone who can snoop the network can hijack your session and impersonate the originally authenticated user (even if that user originally authenticated on an encrypted channel). Do not, under any circumstances, design applications that depend on maintaining session state across an https --> http transition. Craig McClanahan -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>