tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 7819] - https and http session-semantics control
Date Mon, 08 Apr 2002 01:10:58 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7819

https and http session-semantics control

craig.mcclanahan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From craig.mcclanahan@sun.com  2002-04-08 01:10 -------
Anyone who uses this approach is absolutely and totally wasting their time doing
the authentication under HTTPS.  If you switch back to HTTP after that, your
session can get hijacked by anyone who is snooping the network and can therefore
see the session id.

The only safe programming technique is that, once you switch to HTTPS for a
particular session, you never again accept a non-HTTPS request for that session.
 Supporting any easy mechanism to do the switchback would therefore, IMHO, be a
grave disservice to Tomcat users, because it would imply that this practice is
safe -- and it is not.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message