You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Taavi Tiirik <ta...@ibs.ee> on 2001/10/25 16:36:35 UTC

switch between http and https. how?

I have Tomcat 4 running fine with both http and https protocols.
I would like to use http for serving most of the documents and
only j_security_check (form based login) should be done over
https. How can I configure this?

with best wishes,
Taavi

RE: switch between http and https. how?

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Fri, 26 Oct 2001, Taavi Tiirik wrote:

> Date: Fri, 26 Oct 2001 17:16:19 +0200
> From: Taavi Tiirik <ta...@ibs.ee>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: RE: switch between http and https. how?
>
> > > I have Tomcat 4 running fine with both http and https protocols.
> > > I would like to use http for serving most of the documents and
> > > only j_security_check (form based login) should be done over
> > > https. How can I configure this?
> > >
> >
> > There is no way to configure this.
>
> Thanks, Craig!
>
> Now I am a bit lost. Would it make sense then to have a whole
> site served over https?

If you are concerned about someone hijacking your session, that's pretty
much the only choice.

> What are the best practices of
> secureing login information as well as session id cookie?
>
> with best wishes,
> Taavi
>
>
>

Craig



--
To unsubscribe, e-mail:  <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: switch between http and https. how?

Posted by Taavi Tiirik <ta...@ibs.ee>.

> > I have Tomcat 4 running fine with both http and https protocols.
> > I would like to use http for serving most of the documents and
> > only j_security_check (form based login) should be done over
> > https. How can I configure this?
> >
> 
> There is no way to configure this.

Thanks, Craig!

Now I am a bit lost. Would it make sense then to have a whole
site served over https? What are the best practices of
secureing login information as well as session id cookie?

with best wishes,
Taavi

Re: switch between http and https. how?

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Thu, 25 Oct 2001, Taavi Tiirik wrote:

> Date: Thu, 25 Oct 2001 16:36:35 +0200
> From: Taavi Tiirik <ta...@ibs.ee>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: switch between http and https. how?
>
>
> I have Tomcat 4 running fine with both http and https protocols.
> I would like to use http for serving most of the documents and
> only j_security_check (form based login) should be done over
> https. How can I configure this?
>

There is no way to configure this.

Furthermore, it would be unsafe to rely on this for any sort of security.
Consider the fact that the session id cookie is still transmitted in clear
text, so anyone snooping on the network could easily swipe your session id
(and thus impersonate that user for as long as the session remained
alive), even though they could not see the password because it was
encrypted.

> with best wishes,
> Taavi
>
>
>

Craig