On Tue, 2 Apr 2002, Ralph Einfeldt wrote:
> Date: Tue, 2 Apr 2002 09:40:48 +0200
> From: Ralph Einfeldt <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: AW: AW: sessions, security, and the RFCs
>
> As I understand it, the spec doesn't say much about the
> session bahaviour in this scenario.
>
Servlet 2.2 (basis for Tomcat 3.x) said almost nothing about this, so you
cannot count on any portability.
Servlet 2.3 (basis for Tomcat 4.x) added some specific requirements (such
as the ability to redirect from the non-SSL port to the SSL port and
maintain the session).
Note -- anyone who goes from the SSL port back to the non-SSL port has
just created a security hole. I strongly urge you to add code to your
applications that prevents this from ever happening (even manually by the
user), by not accepting any non-SSL requests for a session once you've
accepted an SSL request for it (and stored sensitive information in the
session attributes).
Craig
> So it's quite legal that different containers implement
> opposite behaviours for the switch between http and https.
>
> It would be nice to hear what one of the gurus has to say
> about this topic ?
>
> > -----Ursprungliche Nachricht-----
> > Von: Manuel Mall [mailto:[EMAIL PROTECTED]]
> > Gesendet: Donnerstag, 28. Marz 2002 06:53
> > An: 'Tomcat Users List'
> > Betreff: RE: AW: sessions, security, and the RFCs
> <snip/>
> > Why does Tomcat 4 implement a different session behaviour
> > than Tomcat 3.3 if they are both based on essentially the
> > same specification?
> <snip/>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
