tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Session lost when switching from https to http after upgrade to Tomcat 6
Date Sun, 03 Aug 2008 22:31:56 GMT
I've been having the same issues others have been asking about.  This  
discussion has been useful, but...

===> What is a viable workaround for switching to http from https once  
the user is authenticated?  And is that idea unreasonable (see use  
case below).

My main concern is that sending large amounts of static content over  
https (large JPEGs in particular) will cause an undue load on the  
server, as opposed to 'http'.

Here is my use case:

1.  The user's password should be protected over https when logging  
in.  Ditto for the user's home page.

2.  Once logged in, a large amount of static content (html, large  
JPEGs, etc) is available to that user.  None of it is of a sensitive  

3. While it's true that the sessionid could be hijacked, an attacker  
would need the user's actual password to do anything malicious; there  
isn't any sensitive user data, just access to content.  So having  
sessionid travel over plain http would be fine.

Lloyd Chambers

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]

On Jun 7, 2008, at 3:40 AM, Mark Thomas wrote:

>> The application may be trivial, but not the user's password.
> If the functionality is important enough to protect with a password  
> over SSL then the session ID, which for most applications will give  
> access to that functionality, should usually be protected in the  
> same way. There will be some exceptions to this. Protected the  
> session by other means is one possibility.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message