Okay -- let me expand the use case a bit. The site has two parts, one public and one private. A user logs in, does whatever he needs to do in the secure area, and then logs out. At that point, I would like to go back to using http instead of https.
But I can't find the way to do this. Changing the cookie from secure=true to secure=false doesn't switch from https to http. Neither does setting the cookie's maxAge to 0. As far as I can see, once a JSF site is using https, there's no way to switch back to http, even though this is a common requirement for real-world sites (example: every online shopping site I've ever seen). What am I missing? Steven Gollery Andrew Robinson-5 wrote: > > No there isn't a safe way to do this, especially if you are using > 401/HTTP authentication. The cookie that stores the servlet session ID > is marked as secure and therefore cannot be viewed outside of HTTPS. > Once you leave HTTPS and enter HTTP, a new servlet session will be > started and you will not have access to any of your HTTPS information. > > If you forced the HTTPS cookie into not-secure mode, you now open your > application to impersonation attacks. Anyone could easily snag that > cookie definition from the HTTP request headers and impersonate that > user, bypassing login. The one way to have a secure application is to > stay in HTTPS. > > If you aren't worried about impersonation attacks and don't care much > about user's security, just set the cookie's secure flag to false. > > > On 11/3/06, Steven Gollery <[EMAIL PROTECTED]> wrote: >> >> I'm using the sandbox s:form component to send login information over >> https. >> This works fine. Now the problem is: I don't want to run the whole site >> in >> https after users login, so I'd like to switch back somehow for the next >> page. Any way to do that? >> >> >> -- >> View this message in context: >> http://www.nabble.com/leaving-https-tf2570694.html#a7166089 >> Sent from the MyFaces - Users mailing list archive at Nabble.com. >> >> > > -- View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7241966 Sent from the MyFaces - Users mailing list archive at Nabble.com.
