Hallo,
others have commented on this, but first of all:
From a security point of view it is a bad design if a session gets switched
from SSL to non-SSL or vice-versa. The sessionid is always part of any
request. So anyone observing a non-SSL-request can obtain the sessionid and
thereby hijack a
Hello Harry,
I was getting users to log in using SSL, and then switching to non-SSL in
order to avoid the SSL overheads. (When I decided I could not 'hang on' to
the same session, I decided to stick with SSL permanently.)
So you achieve to protect the password (which would otherwise be sent
Hello Harry,
sorry, I did not want to press this point too much. And for the record: My
tomcat works that way. Anything placed in session-scope remains present
between different requests made with http and https, even the authenticated
user. The only thing I noticed has been a caching issue,