You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jose Francisco Junior <jj...@zipmail.com> on 2002/08/08 18:56:51 UTC
SSL Session x Non SSL Session Problem
Hi everyone,
I am trying to authenticate users using a SSL connection
and after the authentication I forward the request to an
Non-SSL connection but the session object is invalidated.
How can I solve this problem ?
Thanks in advance,
Junior
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SSL Session x Non SSL Session Problem
Posted by Jean-francois Arcand <je...@sun.com>.
Jose Francisco Junior wrote:
>Please,
>
>Does anybody know anything about the problem below !!!
>
>I can't share an session object that was instatiated on a
> SSL connection with a NON SSL connection.
>
>I am trying to authenticate users using a SSL connection
> and after the authentication I forward the request to an
> Non-SSL connection but the session object is invalidated.
>
>How can I solve this problem ?
>
The only solution I recommend is to use SSL for all connections (or not
use at all). The ID associated with the SSL session will certainly not
the same as the one created without SSL (how is the Principal (user,
password) get passed. If it was, how can you differenciate an
authenticated user?
-- Jeanfrancois
>
>Thanks in advance,
>Junior
>________________________________________________
>Don't E-Mail, ZipMail! http://www.zipmail.com/
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
Jean-Francois Arcand
Java and XML Software, Sun Microsystems
450.224.475
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SSL Session x Non SSL Session Problem
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 8 Aug 2002, Jose Francisco Junior wrote:
> Date: Thu, 08 Aug 2002 15:39:16 -0400
> From: Jose Francisco Junior <jj...@zipmail.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: SSL Session x Non SSL Session Problem
>
> Please,
>
> Does anybody know anything about the problem below !!!
>
> I can't share an session object that was instatiated on a
> SSL connection with a NON SSL connection.
>
> I am trying to authenticate users using a SSL connection
> and after the authentication I forward the request to an
> Non-SSL connection but the session object is invalidated.
>
> How can I solve this problem ?
>
You really really really don't want to do that.
Once you switch back to non-SSL, the session id would be transmitted in
cleartext -- so anyone snooping on your network connection could easily
impersonate you. If the user's password is sensitive enough to protect,
the whole session should be as well. Otherwise, you'll just live under an
illusion of security.
> Thanks in advance,
> Junior
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
SSL Session x Non SSL Session Problem
Posted by Jose Francisco Junior <jj...@zipmail.com>.
Please,
Does anybody know anything about the problem below !!!
I can't share an session object that was instatiated on a
SSL connection with a NON SSL connection.
I am trying to authenticate users using a SSL connection
and after the authentication I forward the request to an
Non-SSL connection but the session object is invalidated.
How can I solve this problem ?
Thanks in advance,
Junior
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>