tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Shadel <>
Subject Re: HTTPS --->> HTTP ?
Date Fri, 02 May 2003 15:03:45 GMT
I agree, your choice has to be made based on the level of risk you're 
willing to take.  The SSLExtention to Struts has libraries to help make 
switching from HTTPS to HTTP fairly easy, if that's what you decide is 
best for your app.  Check out, or search 
the struts-user list for more info.


Mufaddal Khumri wrote:
> Craig's  
> reasoning is correct. But ... it depends why you would go from HTTPS to 
> HTTP.  The reason not to go is to keep the session id secure.
> HTTPS through out keeps your username and password (any data) and 
> session id secure .. thru the users session.
> HTTPS for login only keeps only the username and password secure. 
> session id is exposed.
> Out of the above two it depends on your business model to choose what 
> you want to do depending on content and keeping in mind that username 
> and password once compromised for a user is absolutely horrible. Getting 
> hold of a session id for the user on one occasion is bad. but tolerable 
> since that session id is only valid for a particular session.
> Therefore using HTTPS to login and HTTP later is not that bad. Infact 
> not at all bad if the content or service you are providing is of that 
> nature.
> Thanks.
> On Friday, May 2, 2003, at 12:04  AM, Jacob Kjome wrote:
>> This is completely insecure.  The session can be hijacked once it goes 
>> outside the safety of SSL and since after login the user, presumably, 
>> has more access to the app, everyone has more access to the app.  
>> Tomcat doesn't support this because it is inherently insecure.  Search 
>> the archives for many messages on this topic.  Craig R. McClanahan has 
>> written about this many times.
>> Jake
>> At 11:11 AM 5/1/2003 +0530, you wrote:
>>> Hi Everybody,
>>> I have a servlet that allows a user to login using a username and 
>>> password. For this I use SSL set up with Tomcat.
>>> For example:
>>> Now after the user has been authenticated I use
>>> response.sendRedirect(response.encodeRedirectURL("/myapp/Home.jsp"));
>>> When I do this ... the browser goes to:
>>> Now after the initial login, I do not want to use HTTPS .. just HTTP.
>>> I would like to know suggestions / best ways to do this ??
>>> I could specify the complete URL in the redirect, but that would tie 
>>> me with the name of the server.
>>> Any suggestions ?
>>> Thanks.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message