Hello Harry, > I was getting users to log in using SSL, and then switching to non-SSL in > order to avoid the SSL overheads. (When I decided I could not 'hang on' to > the same session, I decided to stick with SSL permanently.)
So you achieve to protect the password (which would otherwise be sent as clear text). But afterwards your sessions are more or less unprotected. Anyone sitting in the middle could grab a session and act as the previously logged-in user if he can observe just one request that is not encrypted. So maybe it would be a good idea to stick to SSL for that reason alone (and 'accidentally' save yourselve the trouble of having to solve your current problem). Greetings Andreas Mohrig -----Ursprungliche Nachricht----- Von: Harry Mantheakis [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 12. November 2003 18:12 An: Tomcat Users List Betreff: Re: Sessions - SSL Hello Andreas > if you only want to protect the data that the > user sends to the server... I was getting users to log in using SSL, and then switching to non-SSL in order to avoid the SSL overheads. (When I decided I could not 'hang on' to the same session, I decided to stick with SSL permanently.) > Have you tried to encode the sessionid in the request-url with > response.encodeURL("TARGET-URL")?... I shall have to dig up the code to double-check, and it may take me a while, so please bear with me on that. Regards Harry Mantheakis London, UK
