tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Filip Hanik" <m...@filip.net>
Subject RE: HTTPS --->> HTTP ?
Date Thu, 01 May 2003 23:21:23 GMT
it is at the browser discretion whether to send up the cookie again on this
redirect.
if the session was created under HTTP, then it is ok, if the session is
created under https the browser will most likely not send it up on HTTP

Filip

> -----Original Message-----
> From: Jacob Kjome [mailto:hoju@visi.com]
> Sent: Thursday, May 01, 2003 11:34 AM
> To: Tomcat Users List
> Subject: Re: HTTPS --->> HTTP ?
>
>
>
> This is completely insecure.  The session can be hijacked once it goes
> outside the safety of SSL and since after login the user, presumably, has
> more access to the app, everyone has more access to the app.  Tomcat
> doesn't support this because it is inherently insecure.  Search the
> archives for many messages on this topic.  Craig R. McClanahan
> has written
> about this many times.
>
> Jake
>
> At 11:11 AM 5/1/2003 +0530, you wrote:
> >Hi Everybody,
> >
> >I have a servlet that allows a user to login using a username and
> >password. For this I use SSL set up with Tomcat.
> >
> >For example:
> >https://www.myserver.com/myapp/Login.jsp
> >
> >Now after the user has been authenticated I use
> >
> >response.sendRedirect(response.encodeRedirectURL("/myapp/Home.jsp"));
> >
> >When I do this ... the browser goes to:
> >https://www.myserver.com/myapp/Home.jsp
> >
> >Now after the initial login, I do not want to use HTTPS .. just HTTP.
> >I would like to know suggestions / best ways to do this ??
> >
> >I could specify the complete URL in the redirect, but that would tie me
> >with the name of the server.
> >
> >Any suggestions ?
> >
> >Thanks.
> >
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message