I can't find in the spec that the session shall be maintained if you switch from http to https.
Can you provide a reference? Wouldn't this be as dangerous as to keep the session after you go back from SSL to non-SSL ? As I see it, this would open the door to anyone who could listen to the http network traffic to steel the secure session. | SRV.7.1.2 SSL Sessions | Secure Sockets Layer, the encryption technology | used in the HTTPS protocol, has a mechanism built | into it allowing multiple requests from a client | to be unambiguously identified as being part of a | session. A servlet container can easily use this | data to define a session. | 12.8 ... | The container must at least use SSL to respond to | requests to resources marked integral or confidential. | If the original request was over HTTP, the container | must redirect the client to the HTTPS port. > -----Ursprüngliche Nachricht----- > Von: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 2. April 2002 18:47 > An: Tomcat Users List > Betreff: Re: AW: AW: sessions, security, and the RFCs <snip/> > Servlet 2.3 (basis for Tomcat 4.x) added some specific > requirements (such as the ability to redirect from the > non-SSL port to the SSL port and maintain the session). <snip/> > Note -- anyone who goes from the SSL port back to the > non-SSL port has just created a security hole. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>