SSL Session x Non SSL Session Problem

[Jose Francisco Junior <jj...@zipmail.com>]

Hi everyone,

I am trying to authenticate users using a SSL connection
 and after the authentication I forward the request to an
 Non-SSL connection but the session object is invalidated.

How can I solve this problem ?


Thanks in advance,
Junior
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: SSL Session x Non SSL Session Problem

[Jean-francois Arcand <je...@sun.com>]

Jose Francisco Junior wrote:

>Please,
>
>Does anybody know anything about the problem below !!!
>
>I can't share an session object that was instatiated on a
> SSL connection with a NON SSL connection.
>
>I am trying to authenticate users using a SSL connection
> and after the authentication I forward the request to an
> Non-SSL connection but the session object is invalidated.
>
>How can I solve this problem ?
>
The only solution I recommend is to use SSL for all connections (or not 
use at all). The ID associated with the SSL session will certainly not 
the same as the one created without SSL (how is the Principal (user, 
password) get passed. If it was, how can you differenciate an 
authenticated user?

-- Jeanfrancois

>
>Thanks in advance,
>Junior
>________________________________________________
>Don't E-Mail, ZipMail! http://www.zipmail.com/
>
>--
>To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>  
>

-- 
Jean-Francois Arcand
Java and XML Software, Sun Microsystems 
450.224.475



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: SSL Session x Non SSL Session Problem

["Craig R. McClanahan" <cr...@apache.org>]

On Thu, 8 Aug 2002, Jose Francisco Junior wrote:

> Date: Thu, 08 Aug 2002 15:39:16 -0400
> From: Jose Francisco Junior <jj...@zipmail.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: SSL Session x Non SSL Session Problem
>
> Please,
>
> Does anybody know anything about the problem below !!!
>
> I can't share an session object that was instatiated on a
>  SSL connection with a NON SSL connection.
>
> I am trying to authenticate users using a SSL connection
>  and after the authentication I forward the request to an
>  Non-SSL connection but the session object is invalidated.
>
> How can I solve this problem ?
>

You really really really don't want to do that.

Once you switch back to non-SSL, the session id would be transmitted in
cleartext -- so anyone snooping on your network connection could easily
impersonate you.  If the user's password is sensitive enough to protect,
the whole session should be as well.  Otherwise, you'll just live under an
illusion of security.

> Thanks in advance,
> Junior

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

SSL Session x Non SSL Session Problem

[Jose Francisco Junior <jj...@zipmail.com>]

Please,

Does anybody know anything about the problem below !!!

I can't share an session object that was instatiated on a
 SSL connection with a NON SSL connection.

I am trying to authenticate users using a SSL connection
 and after the authentication I forward the request to an
 Non-SSL connection but the session object is invalidated.

How can I solve this problem ?

Thanks in advance,
Junior
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>