As long as you know what you do and are shure that you (or any other person that may maintain the site in the future) always remember what you have done that may be ok.
The risk I see that with such an approach is that it is quite easy to forget about the potential risks of this solution when somebody adds some functionality to the side somewhere in the future that breaks the basic assumption behind this solution. If you use form based login make damn shure that there is no way for an user to edit his password or other sensitive data as this way you can't protect that page against an intruder after the user switched back to http. With form based-login the user is stored in the session and somebody who steals a session is authenticated as far as tomcat is considered. > -----Original Message----- > From: John Holman [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 10, 2003 2:02 PM > To: Tomcat Users List > Subject: Re: HTTPS to HTTP > > > In this scenario, the *only* page requiring SSL would be > the login page that collects the username and password. > (That could be either a dedicated application login page > or the login page configured for form-based login. Basic > authentication is never an option!). If this condition is > met I still don't see that stealing the session id will > enable anything that would be considered a risk. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>