Re: [Resin-interest] question about secure / non -secure sessions
Thanks for the clarification Scott. +James P. --- Scott Ferguson <[EMAIL PROTECTED]> wrote: > > On Jan 11, 2007, at 12:40 PM, James Picklesimer > wrote: > > > I have a developer who uses HTTP on a landing page > > then switches to HTTPS (SSL) with a small amount > of > > data from the non-secure page. > > > > My opinion is this is a bad practice for security, > but > > frying that fish is not for this forum. > > > > 1) does resin 3.0.18 or for that matter any J2EE > > container allow for switching sessions? > > It's mostly a browser issue. > > By default, the browser will send the same cookie > from the non-secure > site to the secure site automatically. (There's a > http-only flag > that can change this behavior for some browsers, > although I don't see > it in our schema. I thought we'd added it.) > > > > > 2) does this cause a new session to be created? > > It depends on how the virtual hosts are configured. > If there are > separate virtual hosts for SSL vs non-SSL, then > there are separate > sessions. If the same handles both, it will > use the old session. > > > > 3) how does resin handle this (if legal according > to > > J2EE)? > > It's outside the scope of J2EE with the exception > that J2EE requires > that separate have separate session > contexts. > > > 4) should I look at java docs for J2EE containers? > > If someone else has a better solution, we'd love to > add it as an > enhancement request. > > -- Scott > > > > > Thanks. > > +JP > > > > > > > > > __ > > > __ > > Need a quick answer? Get one in minutes from > people who know. > > Ask your question on www.Answers.yahoo.com > > > > ___ > > resin-interest mailing list > > resin-interest@caucho.com > > > http://maillist.caucho.com/mailman/listinfo/resin-interest > > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] question about secure / non -secure sessions
On Jan 11, 2007, at 12:40 PM, James Picklesimer wrote: > I have a developer who uses HTTP on a landing page > then switches to HTTPS (SSL) with a small amount of > data from the non-secure page. > > My opinion is this is a bad practice for security, but > frying that fish is not for this forum. > > 1) does resin 3.0.18 or for that matter any J2EE > container allow for switching sessions? It's mostly a browser issue. By default, the browser will send the same cookie from the non-secure site to the secure site automatically. (There's a http-only flag that can change this behavior for some browsers, although I don't see it in our schema. I thought we'd added it.) > > 2) does this cause a new session to be created? It depends on how the virtual hosts are configured. If there are separate virtual hosts for SSL vs non-SSL, then there are separate sessions. If the same handles both, it will use the old session. > > 3) how does resin handle this (if legal according to > J2EE)? It's outside the scope of J2EE with the exception that J2EE requires that separate have separate session contexts. > 4) should I look at java docs for J2EE containers? If someone else has a better solution, we'd love to add it as an enhancement request. -- Scott > > Thanks. > +JP > > > > __ > __ > Need a quick answer? Get one in minutes from people who know. > Ask your question on www.Answers.yahoo.com > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
[Resin-interest] question about secure / non -secure sessions
I have a developer who uses HTTP on a landing page then switches to HTTPS (SSL) with a small amount of data from the non-secure page. My opinion is this is a bad practice for security, but frying that fish is not for this forum. 1) does resin 3.0.18 or for that matter any J2EE container allow for switching sessions? 2) does this cause a new session to be created? 3) how does resin handle this (if legal according to J2EE)? 4) should I look at java docs for J2EE containers? Thanks. +JP Need a quick answer? Get one in minutes from people who know. Ask your question on www.Answers.yahoo.com ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest