> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. Request protected resource, non-CONFIDENTIAL > 2. Tomcat responds with login page, login page is configured as > CONFIDENTIAL
I can't remember if that works; it would only be useful if the resumed request stayed with HTTPS. I've never found a case where encrypting the login without encrypting the protected resource makes any sense. > In this case, is the user redirected to the login page using SSL? My recollection is that the login page is SSL, and the cookie is secure, but I'd have to double-check. We've managed to convince people that a secure login for unsecure resources is pretty much pointless. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
