On Jan 11, 2007, at 12:40 PM, James Picklesimer wrote:
> I have a developer who uses HTTP on a landing page
> then switches to HTTPS (SSL) with a small amount of
> data from the non-secure page.
> My opinion is this is a bad practice for security, but
> frying that fish is not for this forum.
> 1) does resin 3.0.18 or for that matter any J2EE
> container allow for switching sessions?
It's mostly a browser issue.
By default, the browser will send the same cookie from the non-secure
site to the secure site automatically. (There's a http-only flag
that can change this behavior for some browsers, although I don't see
it in our schema. I thought we'd added it.)
> 2) does this cause a new session to be created?
It depends on how the virtual hosts are configured. If there are
separate virtual hosts for SSL vs non-SSL, then there are separate
sessions. If the same <host> handles both, it will use the old session.
> 3) how does resin handle this (if legal according to
It's outside the scope of J2EE with the exception that J2EE requires
that separate <web-app> have separate session contexts.
> 4) should I look at java docs for J2EE containers?
If someone else has a better solution, we'd love to add it as an
> Need a quick answer? Get one in minutes from people who know.
> Ask your question on www.Answers.yahoo.com
> resin-interest mailing list
resin-interest mailing list