On Tue, 29 Oct 2002, Schnitzer, Jeff wrote:
> Date: Tue, 29 Oct 2002 15:56:47 -0800 > From: "Schnitzer, Jeff" <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: RE: Force One page to not use SSL > > I've read the list archives and I'm aware of the security "issue", but I > still want to switch from HTTPS to HTTP. > > Yes, I know someone could hijack the session. We're not worried about > that; at worst someone could make some obnoxious posts to a forum. We > force users to submit their password a second time (and go into SSL, of > course) whenever anything sensitive is touched, such as passwords or > credit card info. > > We get a _lot_ of traffic. Running everything under SSL is not really > an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In > our current configuration, it appears that the session is getting lost > in the transition from HTTPS->HTTP so the user is forced to log in > again. > Then I'm afraid you will need to modify your version of Tomcat to make this transition possible. It would be irresponsible for the standard container to allow people who don't know what they are doing to shoot themselves in the foot on security. > Thanks, > Jeff Schnitzer > [EMAIL PROTECTED] > The Sims Online > Craig -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
