I've been watching the conversation on https, http, session switching, and so forth. If I followed this right, it sounds as if Tomcat 4, in dropping session information on the switch, is being RFC compliant.
So I want to know -- what are the security implications in keeping the session across a switch from http to https? Is this a matter of conforming to the RFCs, and, if so, what are the motivations for killing the session when crossing the line? One problem I can think of, keeping the same session across the switch would require a lot of discipline on the programmer's part, to avoid revealing sensitive data to a browser window that had switched back to http. I am thinking that one solution might be to record the session information and session-id in a database on the server, since the server should know what it is assigning assigning to whom and when. I'm not sure what that buys, as opposed to keeping the same session. Also not sure whether it might open more holes to hijacking and spoofs. Found some comments in the archives on the port numbers causing problems with session ids for Netscape, but not for IE. (Which causes me to think that keeping the session open across the switch from http to https may be a typical Microsfot shot-you-in-the-foot shortcut.) Would appreciate some pointers where else to look. Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
