I've been having the same issues others have been asking about. This
discussion has been useful, but...
===> What is a viable workaround for switching to http from https once
the user is authenticated? And is that idea unreasonable (see use
case below).
My main concern is that sending large amounts of static content over
https (large JPEGs in particular) will cause an undue load on the
server, as opposed to 'http'.
Here is my use case:
1. The user's password should be protected over https when logging
in. Ditto for the user's home page.
2. Once logged in, a large amount of static content (html, large
JPEGs, etc) is available to that user. None of it is of a sensitive
nature.
3. While it's true that the sessionid could be hijacked, an attacker
would need the user's actual password to do anything malicious; there
isn't any sensitive user data, just access to content. So having
sessionid travel over plain http would be fine.
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Jun 7, 2008, at 3:40 AM, Mark Thomas wrote:
The application may be trivial, but not the user's password.
If the functionality is important enough to protect with a password
over SSL then the session ID, which for most applications will give
access to that functionality, should usually be protected in the
same way. There will be some exceptions to this. Protected the
session by other means is one possibility.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
