Hi guys. I'm following this loosely, along with some other threads.
There is another one going on right now which also talks about
authentication, hijacking JSESSIONID etc..
Gregor, what is not very clear to me, and maybe you want to do a wrapup,
is what exactly you are - and are not - trying to achieve.
For example, /why/ you want the users to login, and /if/ you want this
one login to be valid for your 4 websites/applications (say "convenience
SSO") or not. And /if/ you want that one user, having logged-in once
today, should be able to re-access the same application later on without
re-logging in, if in the meantime he went to have a long lunch, or
closed his browser etc..
Or if you want a login just to block robots from accessing the site, or
if you want a login just so that you can track a user for reasons of
statistics and so on.
From earlier explanations, it does not seem that you really have any
confidential information to protect, nor that you are too worried about
someone hijacking a user session etc..
And, if you want users to login, how are you giving them a user-id and
password to login ?
I'm just mentioning all this because I generally get the feeling that
you are not too hot on using HTTPS and CA certificates on all these
sites, and maybe you don't really need to, for what you want to achieve.
Unless I am mistaken, I don't think that using HTTPS in order to protect
the user-id/password from eavesdropping by some miscreant, you
necessarily have to have a Verisign certificate for each site.
Again unless I am mistaken, a CA-signed certificate is meant to be used
to reassure the client that he is really talking to the server you say
you are, and not some other impersonating phishing site. But it is not
a prerequisite for simply making a connection through HTTPS.
Or ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
