Man alive! Does this thread have to continue in this direction? Myself and Jeff both have similar problems, and we are requesting a common solution. I think we both expressed that we are aware of the consequences of our "security-flawed" approach to app design, yet everyone seems to think that this has not been thought through.
All I am asking is...does anyone know how to persist a session from HTTPs to HTTP. Any potential solutions are GREATLY appreciate...any other suggestions (even though they might be well-meaning) are discouraged. Thanks! Aaron. -----Original Message----- From: Justin Ruthenbeck [mailto:justinr@;nextengine.com] Sent: October 29, 2002 5:20 PM To: Tomcat Users List Subject: RE: Force One page to not use SSL Jeff -- This may be a bit simple minded since I don't understand your entire situation there, but it doesn't sound like you're interested in protecting these JARs in the first place (hence you don't need HTTPS for them). Why, then, do you even need to make sure the user is authenticated (ie *has* a session) in the first place? Why not just serve them up to anyone who requests them? If you need the user to be in a session, you can approximate (which implies, of course, a less-than-elegant solution) the session by duplicating some of what Tomcat does to handle sessions. Namely, give your own token/cookie to the user and also into your context at HTTPS session start time ... keep your list synched with Tomcat's by removing the tokens whenever sessions are invalidated. When deciding whether to serve up the JARs, use this to determine whether the user is authenticated. Duplication, yes, but it's *a* solution. I'd be interested to hear what you end up doing... justin At 03:56 PM 10/29/2002, you wrote: >I've read the list archives and I'm aware of the security "issue", but I >still want to switch from HTTPS to HTTP. > >Yes, I know someone could hijack the session. We're not worried about >that; at worst someone could make some obnoxious posts to a forum. We >force users to submit their password a second time (and go into SSL, of >course) whenever anything sensitive is touched, such as passwords or >credit card info. > >We get a _lot_ of traffic. Running everything under SSL is not really >an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In >our current configuration, it appears that the session is getting lost >in the transition from HTTPS->HTTP so the user is forced to log in >again. > >Thanks, >Jeff Schnitzer >[EMAIL PROTECTED] >The Sims Online > > > > > -----Original Message----- > > From: Craig R. McClanahan [mailto:craigmcc@;apache.org] > > Sent: Monday, October 28, 2002 8:37 PM > > To: Tomcat Users List > > Subject: Re: Force One page to not use SSL > > > > > > > > On Mon, 28 Oct 2002, Rustad, Aaron wrote: > > > > > Date: Mon, 28 Oct 2002 17:48:40 -0700 > > > From: "Rustad, Aaron" <[EMAIL PROTECTED]> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > > To: "'[EMAIL PROTECTED]'" ><[EMAIL PROTECTED]> > > > Subject: Force One page to not use SSL > > > > > > I am trying to force one page NOT to use HTTPS and still maintain >the > > > session. I have looked in mailing list, and all I see is how you are >not > > > supposed to do this. Well, I really...really...really need to do >this > > and > > > yes, I understand that I shouldn't. > > > > > > So, if anyone knows how I can maintain the session that is given to >my > > > client from HTTPS -> HTTP I would greatly appreciate it. > > > > > > > There is no support for this because it would be a huge security hole. > > For much discussion on this topic, check the mailing list archives. > > > > > Some background: > > > > > > 1. IIS as a front for Tomcat 4.0.1. > > > 2. Using AJP13 > > > > > > Thanks! > > > Aaron. > > > > Craig > > > > > > -- > > To unsubscribe, e-mail: <mailto:tomcat-user-> > [EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:tomcat-user-> > [EMAIL PROTECTED]> > > >-- >To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
