"...send a redirect to the current page, replacing https with http...."
Exactly what I don't see how to do. Is there some way to set the protocol in a navigation-rule? Or is there another way to do a redirect in JSF? Steven Gollery Andrew Robinson-5 wrote: > > If you don't care about remembering the user, then just use the > sandbox form control. It allows you to set the protocol for a form > post. Otherwise, if you are already on the server, send a redirect to > the current page, replacing https with http. > > On 11/8/06, Steven Gollery <[EMAIL PROTECTED]> wrote: >> >> Okay -- let me expand the use case a bit. >> >> The site has two parts, one public and one private. A user logs in, does >> whatever he needs to do in the secure area, and then logs out. At that >> point, I would like to go back to using http instead of https. >> >> But I can't find the way to do this. Changing the cookie from secure=true >> to >> secure=false doesn't switch from https to http. Neither does setting the >> cookie's maxAge to 0. >> >> As far as I can see, once a JSF site is using https, there's no way to >> switch back to http, even though this is a common requirement for >> real-world >> sites (example: every online shopping site I've ever seen). >> >> What am I missing? >> >> Steven Gollery >> >> >> >> Andrew Robinson-5 wrote: >> > >> > No there isn't a safe way to do this, especially if you are using >> > 401/HTTP authentication. The cookie that stores the servlet session ID >> > is marked as secure and therefore cannot be viewed outside of HTTPS. >> > Once you leave HTTPS and enter HTTP, a new servlet session will be >> > started and you will not have access to any of your HTTPS information. >> > >> > If you forced the HTTPS cookie into not-secure mode, you now open your >> > application to impersonation attacks. Anyone could easily snag that >> > cookie definition from the HTTP request headers and impersonate that >> > user, bypassing login. The one way to have a secure application is to >> > stay in HTTPS. >> > >> > If you aren't worried about impersonation attacks and don't care much >> > about user's security, just set the cookie's secure flag to false. >> > >> > >> > On 11/3/06, Steven Gollery <[EMAIL PROTECTED]> wrote: >> >> >> >> I'm using the sandbox s:form component to send login information over >> >> https. >> >> This works fine. Now the problem is: I don't want to run the whole >> site >> >> in >> >> https after users login, so I'd like to switch back somehow for the >> next >> >> page. Any way to do that? >> >> >> >> >> >> -- >> >> View this message in context: >> >> http://www.nabble.com/leaving-https-tf2570694.html#a7166089 >> >> Sent from the MyFaces - Users mailing list archive at Nabble.com. >> >> >> >> >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/leaving-https-tf2570694.html#a7241966 >> Sent from the MyFaces - Users mailing list archive at Nabble.com. >> >> > > -- View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7245500 Sent from the MyFaces - Users mailing list archive at Nabble.com.
