Ralph, I could not find anything that disallow switching between https and http in any order while maintaining. Although not a particularly good idea, it is anyhow used "out there" to protect passwords but be less protective about the session.
I think that security issues should be dealt with as options to not outlaw schemes that actually are used. cheers, Anders ----- Original Message ----- From: "Ralph Einfeldt" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Wednesday, April 03, 2002 09:28 Subject: AW: AW: AW: sessions, security, and the RFCs I can't find in the spec that the session shall be maintained if you switch from http to https. Can you provide a reference? Wouldn't this be as dangerous as to keep the session after you go back from SSL to non-SSL ? As I see it, this would open the door to anyone who could listen to the http network traffic to steel the secure session. | SRV.7.1.2 SSL Sessions | Secure Sockets Layer, the encryption technology | used in the HTTPS protocol, has a mechanism built | into it allowing multiple requests from a client | to be unambiguously identified as being part of a | session. A servlet container can easily use this | data to define a session. | 12.8 ... | The container must at least use SSL to respond to | requests to resources marked integral or confidential. | If the original request was over HTTP, the container | must redirect the client to the HTTPS port. > -----Ursprüngliche Nachricht----- > Von: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 2. April 2002 18:47 > An: Tomcat Users List > Betreff: Re: AW: AW: sessions, security, and the RFCs <snip/> > Servlet 2.3 (basis for Tomcat 4.x) added some specific > requirements (such as the ability to redirect from the > non-SSL port to the SSL port and maintain the session). <snip/> > Note -- anyone who goes from the SSL port back to the > non-SSL port has just created a security hole. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>