tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: switch between http and https. how?
Date Fri, 26 Oct 2001 01:37:33 GMT
On Thu, 25 Oct 2001, Taavi Tiirik wrote:

> Date: Thu, 25 Oct 2001 16:36:35 +0200
> From: Taavi Tiirik <taavi@ibs.ee>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: switch between http and https. how?
>
>
> I have Tomcat 4 running fine with both http and https protocols.
> I would like to use http for serving most of the documents and
> only j_security_check (form based login) should be done over
> https. How can I configure this?
>

There is no way to configure this.

Furthermore, it would be unsafe to rely on this for any sort of security.
Consider the fact that the session id cookie is still transmitted in clear
text, so anyone snooping on the network could easily swipe your session id
(and thus impersonate that user for as long as the session remained
alive), even though they could not see the password because it was
encrypted.

> with best wishes,
> Taavi
>
>
>

Craig



Mime
View raw message