I don't know if there is a spec that defines this behaviour.
The problem is, that if you keep the same session id after you switch to https it is possible that somebody steals your secure session. The only information that is used to identify the session is the session id. As long as you talk http the session id is readable to anyone who can listen to your traffic. The cookie and the url are transmitted in clear text. One little example You have a application with a form to edit some sensible data that has a confirmation page. If some can gues or know your session id he can easily request the confirmation page with the same session id and see your submitted data. I don't know if this thought is the reason behind tomcats behaviour. > -----Ursprungliche Nachricht----- > Von: Joel Rees [mailto:[EMAIL PROTECTED]] > Gesendet: Mittwoch, 27. Marz 2002 08:12 > An: Tomcat Users List > Betreff: sessions, security, and the RFCs > <snip/> > So I want to know -- what are the security implications in keeping the > session across a switch from http to https? Is this a matter of conforming > to the RFCs, and, if so, what are the motivations for killing the session > when crossing the line? <snip/> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
