Hallo,
others have commented on this, but first of all:
>From a security point of view it is a bad design if a session gets switched
from SSL to non-SSL or vice-versa. The sessionid is always part of any
request. So anyone observing a non-SSL-request can obtain the sessionid and
thereby "hijack" a session that seems to be worth protecting. But if you
only want to protect the data that the user sends to the server, it _might_
be ok.
But now to the point: How is the switching done? Have you tried to encode
the sessionid in the request-url with response.encodeURL("TARGET-URL")? Does
the problem remain?
Greetings
Andreas Mohrig
-----Ursprungliche Nachricht-----
Von: Harry Mantheakis [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 12. November 2003 16:37
An: Tomcat Users List
Betreff: Re: Sessions - SSL
Hello
> No, not at all.
I found that if I redirect a client from SSL to non-SSL I lose the session.
Harry Mantheakis
London, UK
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
