Carsten, >As a consequence, switching from https to http and back is about equally secure as >not using SSL at >all. So you are >shooting yourself in the foot by thinking that everything is safe, but your webapp is >just one very big >hole.
I would say that you are partially right. It may be valid to protect passwords in a https session and run the rest of the app (for performance reasons) in http. This is BTW how Microsoft's Passport is used in Hotmail used by 100 millions of users so this (bad habit) is definitely not that unusual. Anyway, I don't think that Tomcat should elminate this possibility. Add warnings to the "deconfiguration switch" and call it: SuboptimalSecurity="true"|"false" :-) Anders -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
