DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7819>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7819 https and http session-semantics control [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From [EMAIL PROTECTED] 2002-04-08 01:10 ------- Anyone who uses this approach is absolutely and totally wasting their time doing the authentication under HTTPS. If you switch back to HTTP after that, your session can get hijacked by anyone who is snooping the network and can therefore see the session id. The only safe programming technique is that, once you switch to HTTPS for a particular session, you never again accept a non-HTTPS request for that session. Supporting any easy mechanism to do the switchback would therefore, IMHO, be a grave disservice to Tomcat users, because it would imply that this practice is safe -- and it is not. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
