Hello Andreas > So maybe it would be a good idea to stick to SSL for that reason alone (and > 'accidentally' save yourselve the trouble of having to solve your current > problem).
Yes, okay, I take your point. I would still like to know, for the record, whether or not sessions are meant to be 'transferable' (so-to-speak) between SSL and non-SSL requests. (Off for a few hours now...) Regards Harry Mantheakis London, UK > Hello Harry, > >> I was getting users to log in using SSL, and then switching to non-SSL in >> order to avoid the SSL overheads. (When I decided I could not 'hang on' to >> the same session, I decided to stick with SSL permanently.) > > So you achieve to protect the password (which would otherwise be sent as > clear text). But afterwards your sessions are more or less unprotected. > Anyone sitting in the middle could grab a session and act as the previously > logged-in user if he can observe just one request that is not encrypted. > > So maybe it would be a good idea to stick to SSL for that reason alone (and > 'accidentally' save yourselve the trouble of having to solve your current > problem). > > Greetings > > Andreas Mohrig > > -----Ursprungliche Nachricht----- > Von: Harry Mantheakis [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 12. November 2003 18:12 > An: Tomcat Users List > Betreff: Re: Sessions - SSL > > > Hello Andreas > >> if you only want to protect the data that the >> user sends to the server... > > I was getting users to log in using SSL, and then switching to non-SSL in > order to avoid the SSL overheads. (When I decided I could not 'hang on' to > the same session, I decided to stick with SSL permanently.) > >> Have you tried to encode the sessionid in the request-url with >> response.encodeURL("TARGET-URL")?... > > I shall have to dig up the code to double-check, and it may take me a while, > so please bear with me on that. > > Regards > > Harry Mantheakis > London, UK > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
