On Jan 11, 2007, at 12:40 PM, James Picklesimer wrote:

> I have a developer who uses HTTP on a landing page
> then switches to HTTPS (SSL) with a small amount of
> data from the non-secure page.
>
> My opinion is this is a bad practice for security, but
> frying that fish is not for this forum.
>
> 1) does resin 3.0.18 or for that matter any J2EE
> container allow for switching sessions?

It's mostly a browser issue.

By default, the browser will send the same cookie from the non-secure  
site to the secure site automatically.  (There's a http-only flag  
that can change this behavior for some browsers, although I don't see  
it in our schema.  I thought we'd added it.)

>
> 2) does this cause a new session to be created?

It depends on how the virtual hosts are configured.  If there are  
separate virtual hosts for SSL vs non-SSL, then there are separate  
sessions.  If the same <host> handles both, it will use the old session.
>
> 3) how does resin handle this (if legal according to
> J2EE)?

It's outside the scope of J2EE with the exception that J2EE requires  
that separate <web-app> have separate session contexts.

> 4) should I look at java docs for J2EE containers?

If someone else has a better solution, we'd love to add it as an  
enhancement request.

-- Scott

>
> Thanks.
> +JP
>
>
>
> ______________________________________________________________________ 
> ______________
> Need a quick answer? Get one in minutes from people who know.
> Ask your question on www.Answers.yahoo.com
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest


_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to