We do the switch, using Apache1.3.20/Tomcat3.2.4 on Solaris. We just use an absolute URL when doing the switch. No problems with lost sessions. - Dan
----- Original Message ----- I've read the list archives and I'm aware of the security "issue", but I still want to switch from HTTPS to HTTP. Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS->HTTP so the user is forced to log in again. -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>