Chris, On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > > Just to be clear, it's the session creation that is sensitive to SSL, > not the actual login (authentication step). If your session exists and > is visible to non-secure communications before authentication, then it > will also be so after authentication. >
Well, I believe this scenario is quite unlikely, since the login-form (running as https) usually is the first page to be displayed. Let me twist your words a bit ;) If the session is created *after* the login-form, that means it's created while using HTTP, there shouldn't be any problems left except for the Session-Cookies which might be hijacked, right? So would following scenario work? - login using form-based login via https - when successful: HttpSession session = request.getSession(); // guess that shoudln't happen if (session != null) { session.invalidate(); } session = request.getSession (true); Looks ok to me - you comments? Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org