tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: https --> http session problem
Date Mon, 17 Nov 2003 09:56:14 GMT
On 11/17/2003 06:32 AM Andrew Mottaz wrote:
>>  However, there aren't very many
>> developers who like the idea of allowing you to hang yourself :).
> Thanks much for the tip -- I have to disagree about this not being a 
> necessary change.  There are plenty of apps where people browse without 
>  a secure connection, but have to log in to perform some functions.  
> Users like to bookmark pages -- why should I force them to bookmark only 
> non-secure pages? Giving a developer control over how session cookies 
> function is better than forcing a hack where you have to always redirect 
> to a non-secure page to establish the session.  If you are writing an 
> application where the session data is so sensitive that you have to 
> protect against session hijacking, you should know about the difference 
> between secure and non-secure cookies.  I've got no problem if the 
> default behavior uses secure cookies when ever possible, but change the 
> "Session uses cookie" parameter to have a flag that allows session 
> cookies to always be non-secure.

what reason is there for preventing users from bookmarking secure pages? 
  I don't follow you there.

Also, as far as I can see, the java community has decided that once you 
start a secure session, you should stay in a secure session, for various 
security reasons. Are you doing a secure login and then redirecting back 
to http afterwards?

struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message