I know this isn't particularly helpful, but if you do switch from https to http AND keep the same session identifier, you *do* have a need for encryption, and hence shouldn't be switching to http.
The reason for this is that session id hijacking is ridiculously easy these days, so having http and https mixed for the same domain is almost as good as not having https in the first place. Check out Firesheep http://codebutler.com/firesheep?c=1. Running it on any nearby open WiFi network should get you a ton of Facebook logins in no time (of course, actually using them would probably be illegal, depending on your jurisdiction). You can even as an exercise script your own app into it and see how easy it is to collect the user sessions... I'd say that that generating a new session ID is good design, not an issue ;-) (Having said that, you could just use your own session tracking and your own cookie. ActionBeanContext is very helpful in that regard; or you could have a custom Filter to take care of it.) /Janne On 31 Jan 2011, at 02:42, Adam Stokar wrote: > As many of you know, there is an issue when you switch from https to http due > to a new session variable being generated for the non-secure request. Has > anyone found an easy way to handle this with Stripes? I would like a way to > say a certain ActionBean should force https (like editting billing > information) and others should force http if there isn't a need for > encryption. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users