tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: https --> http session problem
Date Tue, 18 Nov 2003 06:45:32 GMT

"Adam Hardy" <> wrote in message
> On 11/17/2003 05:15 PM Andrew Mottaz wrote:
> >>Also, as far as I can see, the java community has decided that once you
> >>start a secure session, you should stay in a secure session, for various
> >>security reasons. Are you doing a secure login and then redirecting back
> >>to http afterwards?
> >
> > Imagine the following scenario -- A web site has different levels of
> > access.  The difference between the users is what products they can see.
> > The data is not terribly sensitive.  However, the log-in should be
> > for several reasons -- 1) For the users perception -- people do not like
> > "This form is not secure" message when logging in.  2)  Capturing a user
> > and password is worse than hijacking one session.
> >
> [snipped]
> > Also -- this is the standard for Tomcat -- not Java --( it may be in the
> > servlet/jsp spec -- but if so, it is a new addition).  Other Java based
> > servers treat this differently.
> >
> [snipped]
> > Again -- Just my 2 cents -- Is there a security issue I'm missing?  If
> > argument is that you should NEVER go from secure to non-secure, the
> > solution does not assure that. It only means that you have to go
> > secure, and then non-secure.  That seems quite arbitrary to me.
> I'm not sure I would put the argument in those terms - obviously you can
> go from secure to non-secure via redirects, but tomcat is not going to
> be nice about it, i.e. wave your cookies goodbye.
> There is new stuff in the spec related to secure sessions, but I'm not
> sure if it involves cookies. The issue is about encrypting the
> form-based CMS login form and in bugzilla it didn't get much sympathy:
> I assume the issue was discussed in depth but I couldn't find it on the
> tomcat-dev list. Perhaps it was discussed by JCP somewhere else while
> writing the spec. If anyone who is on the dev list knows, I'd love to
> read the discussion.

You'll have to go back at least two years to get the tomcat-dev discussion
;-). At the moment, the Tomcat-Developer's don't believe that there is
anything to discuss :).  Also, the Servert-2.4 spec has already gone 'final'
(not that I get a chance to see it :(), so all you can do now is to lobby
for the whenever Servlet-2.5 Spec.
> The spec is about to go final after which any change of the issue is
> doomed, unfortunately IMHO. I'd gladly lend my voice to any last-ditch
> attempt to get it changed.
> Adam
> -- 
> struts 1.1 + tomcat 5.0.12 + java 1.4.2
> Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message