tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mufaddal Khumri <>
Subject Re: HTTPS --->> HTTP ?
Date Thu, 01 May 2003 10:58:35 GMT
Craig's  reasoning is correct. But ... it depends why you would go from 
HTTPS to HTTP.  The reason not to go is to keep the session id secure.

HTTPS through out keeps your username and password (any data) and 
session id secure .. thru the users session.
HTTPS for login only keeps only the username and password secure. 
session id is exposed.

Out of the above two it depends on your business model to choose what 
you want to do depending on content and keeping in mind that username 
and password once compromised for a user is absolutely horrible. 
Getting hold of a session id for the user on one occasion is bad. but 
tolerable since that session id is only valid for a particular session.

Therefore using HTTPS to login and HTTP later is not that bad. Infact 
not at all bad if the content or service you are providing is of that 


On Friday, May 2, 2003, at 12:04  AM, Jacob Kjome wrote:

> This is completely insecure.  The session can be hijacked once it goes 
> outside the safety of SSL and since after login the user, presumably, 
> has more access to the app, everyone has more access to the app.  
> Tomcat doesn't support this because it is inherently insecure.  Search 
> the archives for many messages on this topic.  Craig R. McClanahan has 
> written about this many times.
> Jake
> At 11:11 AM 5/1/2003 +0530, you wrote:
>> Hi Everybody,
>> I have a servlet that allows a user to login using a username and 
>> password. For this I use SSL set up with Tomcat.
>> For example:
>> Now after the user has been authenticated I use
>> response.sendRedirect(response.encodeRedirectURL("/myapp/Home.jsp"));
>> When I do this ... the browser goes to:
>> Now after the initial login, I do not want to use HTTPS .. just HTTP.
>> I would like to know suggestions / best ways to do this ??
>> I could specify the complete URL in the redirect, but that would tie 
>> me with the name of the server.
>> Any suggestions ?
>> Thanks.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message