Adam Hardy wrote:
I tried this 18 months ago and if my memory serves me well, in tomcat
5, if I switch the request back out of SSL with a redirect or similar,
I can no longer see the SSL session (and am effectively not logged in
anymore).
Is there an easy way around this? A javascript encryption routine for
the password or some trick with ssl-ext?
<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="8080"/>
<set-property property="httpsPort" value="8443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="false"/>
</plug-in>
From sslext.sourceforge.net:
"Also added is the ability to configure the "always add Session ID to
URL feature". This feature was added in a previous release to compensate
for older browsers that do not automatically share sessions between the
http and https protocols. If you are sure that this problem will not
exist for you, you can now disable this feature through the "addSession"
property of the SecurePlugIn (or SecureTilesPlugin). Thanks to all who
suggested this enhancement. (Or otherwise complained about the old
behavior :-)."
Dave
