On Fri, 18 Oct 2002, Maninder S Batth wrote:
> Date: Fri, 18 Oct 2002 20:11:31 -0700 > From: Maninder S Batth <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: problem with session tracking and redirection http<---> https > > if session apis and request dispatchers are used for "internal" > redirection, is there still any security hole?? > No, but you can't switch from http to https (or from https to http) across a RequestDispatcher.forward call. The response will be sent on the same protocol used to submit the request. Craig > Craig R. McClanahan wrote: > > >On Fri, 18 Oct 2002, Henrik Bentel wrote: > > > > > > > >>Date: Fri, 18 Oct 2002 23:07:17 +0000 > >>From: Henrik Bentel <[EMAIL PROTECTED]> > >>Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > >>To: [EMAIL PROTECTED] > >>Subject: Re: problem with session tracking and redirection http<---> https > >> > >> > >> > >>yeah, I always encode the redirection URL. > >>it's waird that it works if the session is created which under http, but not > >>under https. > >> > >>bug maybe? > >> > >> > >> > > > >Nope ... avoidance of a huge security hole. > > > >Once a session is accessed via https, it should never ever be allowed to > >be accessed from http again. The reason for this is that the session id > >is transmitted in clear text, so anyone who can snoop the network can > >hijack your session and impersonate the originally authenticated user > >(even if that user originally authenticated on an encrypted channel). > > > >Do not, under any circumstances, design applications that depend on > >maintaining session state across an https --> http transition. > > > >Craig McClanahan > > > > > >-- > >To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > -- > Your favorite stores, helpful shopping tools and great gift ideas. > Experience the convenience of buying online with Shop@Netscape! > http://shopnow.netscape.com/ > > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>