anyway since they may have gone off to lunch leaving an active session on their PC ...
John
Ralph Einfeldt wrote:
As long as you know what you do and are shure that you (or any other person that may maintain the site in the future) always remember what you have done that may be ok.
The risk I see that with such an approach is that it is quite easy to forget about the potential risks of this solution when somebody adds some functionality to the side somewhere in the future that breaks the basic assumption behind this solution.
If you use form based login make damn shure that there
is no way for an user to edit his password or other sensitive data as this way you can't protect that page against an intruder after the user switched back to http.
With form based-login the user is stored in the session and somebody who steals a session is authenticated as far as tomcat is considered.
-----Original Message-----
From: John Holman [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be the login page that collects the username and password. (That could be either a dedicated application login page or the login page configured for form-based login. Basic authentication is never an option!). If this condition is met I still don't see that stealing the session id will enable anything that would be considered a risk.-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
