> I agree with you 100% but there can be a simple solution to the problem > that you just raised..and that is that a new session id is created and > mapped in some table when moving from https-->http this way user B can not > get access to the admin page.
Two things you'd have to be really careful about -- Never let the https session id be exposed in an http session. (How do you do that? Tested it under all operating contexts, every browser?) Never let a switch back to https occur without re-verifying the user. (Can this be done seamlessly?) If you used two distinct (sub)domains (for instance, http://user.myapp.com and https://secureuser.myapp.com) and were really careful about the cookie settings for the session ids, might it be workable? Would it require customizing Tomcat? Is it worth the time to test (and the risk that the testers didn't think of everything)? -- Joel Rees <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
