If you switch from HTTPs to HTTP and keep the session, that means that now the sessionid is send unencrypted (either as cookie or as part of the url). So now everybody who can listen to your traffic, can take that data and steel the session and act as the owner of the session, and there is nothing you can do about it.
Yes SSL has some effect on the performance, but to really feal it, you must get a high load on the server. In typical applications the main load comes from other hot spots. The higher the needed tranfer rate is the higher will the risk be that you experience some penalties, but I think it's cheaper to solve them by scaling the hardware. I think you should stresstest your application with both protocols and judge on your own, what impact HTTPs has and what you are willing to invest (in work or hardware) to reduce the impact. > -----Urspr�ngliche Nachricht----- > Von: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]] > Gesendet: Freitag, 9. August 2002 15:52 > An: 'Tomcat Users List' > Betreff: RE: SSL just for a login page > > > Could you explain to me why this would open such a big > secuirty hole from swapping from https to https. > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
