You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by DIGLLOYD INC <di...@diglloyd.com> on 2008/08/04 00:31:56 UTC
Re: Session lost when switching from https to http after upgrade to Tomcat 6
I've been having the same issues others have been asking about. This
discussion has been useful, but...
===> What is a viable workaround for switching to http from https once
the user is authenticated? And is that idea unreasonable (see use
case below).
My main concern is that sending large amounts of static content over
https (large JPEGs in particular) will cause an undue load on the
server, as opposed to 'http'.
Here is my use case:
1. The user's password should be protected over https when logging
in. Ditto for the user's home page.
2. Once logged in, a large amount of static content (html, large
JPEGs, etc) is available to that user. None of it is of a sensitive
nature.
3. While it's true that the sessionid could be hijacked, an attacker
would need the user's actual password to do anything malicious; there
isn't any sensitive user data, just access to content. So having
sessionid travel over plain http would be fine.
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Jun 7, 2008, at 3:40 AM, Mark Thomas wrote:
>>
>> The application may be trivial, but not the user's password.
> If the functionality is important enough to protect with a password
> over SSL then the session ID, which for most applications will give
> access to that functionality, should usually be protected in the
> same way. There will be some exceptions to this. Protected the
> session by other means is one possibility.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session lost when switching from https to http after upgrade
to Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
DIGLLOYD INC wrote:
| What is a viable workaround for switching to http from https once
| the user is authenticated?
Simple: make sure that the user has a session before you switch into
HTTPS mode.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiWgFEACgkQ9CaO5/Lv0PCKXwCfdxyllD2dSk/yyGVl4nfoV5Yp
2wMAoIYP9G645LdAYkeF/hKXfK+zUsqa
=oT7H
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org