tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Kjome <h...@visi.com>
Subject Re: HTTPS --->> HTTP ?
Date Thu, 01 May 2003 18:34:18 GMT

This is completely insecure.  The session can be hijacked once it goes 
outside the safety of SSL and since after login the user, presumably, has 
more access to the app, everyone has more access to the app.  Tomcat 
doesn't support this because it is inherently insecure.  Search the 
archives for many messages on this topic.  Craig R. McClanahan has written 
about this many times.

Jake

At 11:11 AM 5/1/2003 +0530, you wrote:
>Hi Everybody,
>
>I have a servlet that allows a user to login using a username and 
>password. For this I use SSL set up with Tomcat.
>
>For example:
>https://www.myserver.com/myapp/Login.jsp
>
>Now after the user has been authenticated I use
>
>response.sendRedirect(response.encodeRedirectURL("/myapp/Home.jsp"));
>
>When I do this ... the browser goes to:
>https://www.myserver.com/myapp/Home.jsp
>
>Now after the initial login, I do not want to use HTTPS .. just HTTP.
>I would like to know suggestions / best ways to do this ??
>
>I could specify the complete URL in the redirect, but that would tie me 
>with the name of the server.
>
>Any suggestions ?
>
>Thanks.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message