No, you didn't miss something. Looks like I have to make the "Edit Account" page secure to protect any changing of passwords, etc, then switch back.
The idea was to protect a user's password only. Once logged on, that password is no longer required. I do understand that someone could snoop the session id though. One of the primary reasons I am going along this path is due to performance concerns. Non-SSL performance is much better then SSL. Thanks for the comment. Michael Dalton [EMAIL PROTECTED] Internet Business Manager Computing Systems Services Branch Information Technology Directorate IT-D3-A / CIF 394B Kennedy Space Center, FL 32899 (W) 321-861-2207 (F) 321-867-7133 -----Original Message----- From: Holger Dewes [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 10:20 AM To: 'Jetspeed Users List' Subject: RE: Using SSL (e.g. https:) with Jetspeed and IE annoyances > -----Original Message----- > From: Dalton-1, Michael [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 25, 2003 4:05 PM > To: 'Jetspeed Users List' > Cc: Dalton-1, Michael; Reinhart-1, Lois; Solanky, Smita; > Twadell, Daniel M > Subject: RE: Using SSL (e.g. https:) with Jetspeed and IE annoyances > > > Yup, that did the trick. My custom login class needed to be > in a ../modules/actions/ directory. Don't know why, but at > least it works. Very strange. > > Now my users can log in using SSL and have the portal > automatically switch back to non-SSL -- which should improve > performance overall. > Hello, just out of curiosity: why bother with SSL in the first place if you switch back to non-SSL after login? Its hardly more secure, because the session ID can easily be retrieved from an unsecure connection. And as soon as a user changes his password, the new password can be read by a third person as well. Or am I missing something? Cheers -- Holger Dewes --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
