[snipped]Also, as far as I can see, the java community has decided that once you start a secure session, you should stay in a secure session, for various security reasons. Are you doing a secure login and then redirecting back to http afterwards?
Imagine the following scenario -- A web site has different levels of user access. The difference between the users is what products they can see. The data is not terribly sensitive. However, the log-in should be secure for several reasons -- 1) For the users perception -- people do not like the "This form is not secure" message when logging in. 2) Capturing a user id and password is worse than hijacking one session.
[snipped]Also -- this is the standard for Tomcat -- not Java --( it may be in the servlet/jsp spec -- but if so, it is a new addition). Other Java based app servers treat this differently.
Again -- Just my 2 cents -- Is there a security issue I'm missing? If the argument is that you should NEVER go from secure to non-secure, the Tomcat solution does not assure that. It only means that you have to go non-secure, secure, and then non-secure. That seems quite arbitrary to me.
I'm not sure I would put the argument in those terms - obviously you can go from secure to non-secure via redirects, but tomcat is not going to be nice about it, i.e. wave your cookies goodbye.
There is new stuff in the spec related to secure sessions, but I'm not sure if it involves cookies. The issue is about encrypting the form-based CMS login form and in bugzilla it didn't get much sympathy:
http://issues.apache.org/bugzilla/show_bug.cgi?id=23970
I assume the issue was discussed in depth but I couldn't find it on the tomcat-dev list. Perhaps it was discussed by JCP somewhere else while writing the spec. If anyone who is on the dev list knows, I'd love to read the discussion.
The spec is about to go final after which any change of the issue is doomed, unfortunately IMHO. I'd gladly lend my voice to any last-ditch attempt to get it changed.
Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
