Dave Newton on 12/10/05 23:22, wrote:
Adam Hardy wrote:
I tried this 18 months ago and if my memory serves me well, in tomcat
5, if I switch the request back out of SSL with a redirect or similar,
I can no longer see the SSL session (and am effectively not logged in
anymore).
Is there an easy way around this? A javascript encryption routine for
the password or some trick with ssl-ext?
<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="8080"/>
<set-property property="httpsPort" value="8443"/> <set-property
property="enable" value="true"/> <set-property
property="addSession" value="false"/>
</plug-in>
From sslext.sourceforge.net:
"Also added is the ability to configure the "always add Session ID to
URL feature". This feature was added in a previous release to compensate
for older browsers that do not automatically share sessions between the
http and https protocols. If you are sure that this problem will not
exist for you, you can now disable this feature through the "addSession"
property of the SecurePlugIn (or SecureTilesPlugin). Thanks to all who
suggested this enhancement. (Or otherwise complained about the old
behavior :-)."
Hi Dave,
unfortunately we are talking about different issues. I should have made
it clearer but didn't want to make it overcomplicated, and I forgot
about the issue you outlined, which is ambiguously similar.
The issue that I am tackling is that the servlet container allows the
logged-in user under SSL to see both the HTTP and the SSL session, but
outside of SSL, the user can no longer access the SSL session attributes
(I believe).
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
