Actually, many sites need this and do this today (Netflix for example).
There are a few cases when you need to do this:
1) Logging in. The login action should be https so username and password
are encrypted, but once i pass the login, the first page the user sees does
not need to be secure, hence switching from https to http
2)If the user is already logged in and they need to edit billing info, the
site must switch to https from http in order to capture that new billing
info without losing the session information.
I have done it before with Struts, so was wondering if Stripes had a cleaner
technique. Can you show a simple example of using the ActionBeanContext to
do this? See my below code that I used in Struts once the user logs
in...I'm overwriting the current JSESSIONID cookie with a custom one.
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setDomain("mydomain.com");
cookie.setMaxAge(-1); // Life of the browser or timeout
cookie.setSecure(false);
String contextPath = request.getContextPath();
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
response.addCookie(cookie);
On Mon, Jan 31, 2011 at 2:46 AM, Janne Jalkanen <janne.jalka...@ecyrd.com>wrote:
>
> I know this isn't particularly helpful, but if you do switch from https to
> http AND keep the same session identifier, you *do* have a need for
> encryption, and hence shouldn't be switching to http.
>
> The reason for this is that session id hijacking is ridiculously easy these
> days, so having http and https mixed for the same domain is almost as good
> as not having https in the first place. Check out Firesheep
> http://codebutler.com/firesheep?c=1. Running it on any nearby open WiFi
> network should get you a ton of Facebook logins in no time (of course,
> actually using them would probably be illegal, depending on your
> jurisdiction). You can even as an exercise script your own app into it and
> see how easy it is to collect the user sessions...
>
> I'd say that that generating a new session ID is good design, not an issue
> ;-)
>
> (Having said that, you could just use your own session tracking and your
> own cookie. ActionBeanContext is very helpful in that regard; or you could
> have a custom Filter to take care of it.)
>
> /Janne
>
> On 31 Jan 2011, at 02:42, Adam Stokar wrote:
>
> > As many of you know, there is an issue when you switch from https to http
> due to a new session variable being generated for the non-secure request.
> Has anyone found an easy way to handle this with Stripes? I would like a
> way to say a certain ActionBean should force https (like editting billing
> information) and others should force http if there isn't a need for
> encryption.
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
