Chris,
On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> Just to be clear, it's the session creation that is sensitive to SSL,
> not the actual login (authentication step). If your session exists and
> is visible to non-secure communications before authentication, then it
> will also be so after authentication.
>
Well, I believe this scenario is quite unlikely, since the login-form
(running as https) usually is the first page to be displayed.
Let me twist your words a bit ;)
If the session is created *after* the login-form, that means it's
created while using HTTP, there shouldn't be any problems left except
for the Session-Cookies which might be hijacked, right?
So would following scenario work?
- login using form-based login via https
- when successful:
HttpSession session = request.getSession();
// guess that shoudln't happen
if (session != null) {
session.invalidate();
}
session = request.getSession (true);
Looks ok to me - you comments?
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
