André Warnier wrote:
Bill Davidson wrote:
...
"Our application switches between them [HTTP or HTTPS] based upon
whether there is sensitive data in the page or not."
So I guess that if you did not do that, you would not be having this
issue.
Feasible ?
Non-trivial. Also, there is resistance to making everything https due to
performance concerns.
I've also been doing some more in depth analysis of the logs, and I'm
finding
some cases of IP's jumping around for the same session id even when not
switching protocols.
I'm not even entirely sure it's proxies anymore. I'm back tracing some of
these groups of IP's and sometimes they're not even for the same ISP.
I've found mixes of AOL and Comcast as well as mixes of Comcast and
SBC. Weird. I'm starting to worry that we're generating non-unique
session id's or that there could be hackers trying to hi-jack people's
sessions.
More research to do....
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
