tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: SSL Session x Non SSL Session Problem
Date Thu, 08 Aug 2002 19:50:12 GMT


On Thu, 8 Aug 2002, Jose Francisco Junior wrote:

> Date: Thu, 08 Aug 2002 15:39:16 -0400
> From: Jose Francisco Junior <jjunior@zipmail.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: SSL Session x Non SSL Session Problem
>
> Please,
>
> Does anybody know anything about the problem below !!!
>
> I can't share an session object that was instatiated on a
>  SSL connection with a NON SSL connection.
>
> I am trying to authenticate users using a SSL connection
>  and after the authentication I forward the request to an
>  Non-SSL connection but the session object is invalidated.
>
> How can I solve this problem ?
>

You really really really don't want to do that.

Once you switch back to non-SSL, the session id would be transmitted in
cleartext -- so anyone snooping on your network connection could easily
impersonate you.  If the user's password is sensitive enough to protect,
the whole session should be as well.  Otherwise, you'll just live under an
illusion of security.

> Thanks in advance,
> Junior

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message