I've read the list archives and I'm aware of the security "issue", but I still want to switch from HTTPS to HTTP.
Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS->HTTP so the user is forced to log in again. Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online > -----Original Message----- > From: Craig R. McClanahan [mailto:craigmcc@;apache.org] > Sent: Monday, October 28, 2002 8:37 PM > To: Tomcat Users List > Subject: Re: Force One page to not use SSL > > > > On Mon, 28 Oct 2002, Rustad, Aaron wrote: > > > Date: Mon, 28 Oct 2002 17:48:40 -0700 > > From: "Rustad, Aaron" <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > Subject: Force One page to not use SSL > > > > I am trying to force one page NOT to use HTTPS and still maintain the > > session. I have looked in mailing list, and all I see is how you are not > > supposed to do this. Well, I really...really...really need to do this > and > > yes, I understand that I shouldn't. > > > > So, if anyone knows how I can maintain the session that is given to my > > client from HTTPS -> HTTP I would greatly appreciate it. > > > > There is no support for this because it would be a huge security hole. > For much discussion on this topic, check the mailing list archives. > > > Some background: > > > > 1. IIS as a front for Tomcat 4.0.1. > > 2. Using AJP13 > > > > Thanks! > > Aaron. > > Craig > > > -- > To unsubscribe, e-mail: <mailto:tomcat-user- > [EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:tomcat-user- > [EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
