httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gifford <sgiff...@suspectclass.com>
Subject Re: [users@httpd] Need some SSL help please.
Date Fri, 07 Aug 2009 15:20:46 GMT
Josh Gooding <josh.gooding@gmail.com> writes:

[...]

> Run the Login.jsp through SSL, after successful login, drop the SSL.  The
> entire session doesn't need encrypted, only the login and password.  

Sure, that's possible.  The general strategy is to accept the username
and password on a secure connection, and if they are correct generate
a session ID which can be used for future authentication.  You can
return this to the browser in a form or the URL (maybe in a cookie,
not sure if cookies can be passed between HTTP and HTTPS sites), and
the non-encrypted part of your application would just check that the
session ID is valid.

I don't know of an Apache module that will do this for you, and I
don't know anything about Tomcat, but at a high level that's a common
approach.

Hope this helps,

----Scott.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message