I know this isn't particularly helpful, but if you do switch from https to http 
AND keep the same session identifier, you *do* have a need for encryption, and 
hence shouldn't be switching to http.

The reason for this is that session id hijacking is ridiculously easy these 
days, so having http and https mixed for the same domain is almost as good as 
not having https in the first place.  Check out Firesheep 
http://codebutler.com/firesheep?c=1. Running it on any nearby open WiFi network 
should get you a ton of Facebook logins in no time (of course, actually using 
them would probably be illegal, depending on your jurisdiction). You can even 
as an exercise script your own app into it and see how easy it is to collect 
the user sessions...

I'd say that that generating a new session ID is good design, not an issue ;-)

(Having said that, you could just use your own session tracking and your own 
cookie. ActionBeanContext is very helpful in that regard; or you could have a 
custom Filter to take care of it.)

/Janne

On 31 Jan 2011, at 02:42, Adam Stokar wrote:

> As many of you know, there is an issue when you switch from https to http due 
> to a new session variable being generated for the non-secure request.  Has 
> anyone found an easy way to handle this with Stripes?  I would like a way to 
> say a certain ActionBean should force https (like editting billing 
> information) and others should force http if there isn't a need for 
> encryption. 


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users

Reply via email to