tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joel Rees <j...@alpsgiken.gr.jp>
Subject Re: HTTPS to HTTP
Date Fri, 10 Jan 2003 02:09:02 GMT
>   I agree with you 100% but there can be a simple solution to the problem
> that you just raised..and that is that a new session id is created and
> mapped in some table when moving from https-->http this way user B can not
> get access to the admin page. 

Two things you'd have to be really careful about --

Never let the https session id be exposed in an http session. (How do
you do that? Tested it under all operating contexts, every browser?)

Never let a switch back to https occur without re-verifying the user. 
(Can this be done seamlessly?)

If you used two distinct (sub)domains (for instance,
http://user.myapp.com and https://secureuser.myapp.com) and were really
careful about the cookie settings for the session ids, might it be
workable? Would it require customizing Tomcat? Is it worth the time to
test (and the risk that the testers didn't think of everything)?

-- 
Joel Rees <joel@alpsgiken.gr.jp>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message