No there isn't a safe way to do this, especially if you are using 401/HTTP authentication. The cookie that stores the servlet session ID is marked as secure and therefore cannot be viewed outside of HTTPS. Once you leave HTTPS and enter HTTP, a new servlet session will be started and you will not have access to any of your HTTPS information.
If you forced the HTTPS cookie into not-secure mode, you now open your application to impersonation attacks. Anyone could easily snag that cookie definition from the HTTP request headers and impersonate that user, bypassing login. The one way to have a secure application is to stay in HTTPS. If you aren't worried about impersonation attacks and don't care much about user's security, just set the cookie's secure flag to false. On 11/3/06, Steven Gollery <[EMAIL PROTECTED]> wrote:
I'm using the sandbox s:form component to send login information over https. This works fine. Now the problem is: I don't want to run the whole site in https after users login, so I'd like to switch back somehow for the next page. Any way to do that? -- View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7166089 Sent from the MyFaces - Users mailing list archive at Nabble.com.
