15 messages in org.apache.tomcat.usersRE: Force One page to not use SSL| From | Sent On | Attachments |
|---|---|---|
| Rustad, Aaron | Oct 28, 2002 4:48 pm | |
| Craig R. McClanahan | Oct 28, 2002 8:36 pm | |
| Nicholas Pappas | Oct 29, 2002 7:44 am | |
| Rustad, Aaron | Oct 29, 2002 7:45 am | |
| Srinadh Karumuri | Oct 29, 2002 9:17 am | |
| Pae Choi | Oct 29, 2002 12:54 pm | |
| Schnitzer, Jeff | Oct 29, 2002 3:56 pm | |
| Dan Lipofsky | Oct 29, 2002 4:11 pm | |
| Justin Ruthenbeck | Oct 29, 2002 4:19 pm | |
| Rustad, Aaron | Oct 29, 2002 4:54 pm | |
| Craig R. McClanahan | Oct 29, 2002 9:55 pm | |
| Craig R. McClanahan | Oct 29, 2002 10:00 pm | |
| Bill Barker | Oct 29, 2002 10:49 pm | |
| Craig R. McClanahan | Oct 29, 2002 10:54 pm | |
| Ralph Einfeldt | Oct 30, 2002 12:06 am |
| Subject: | RE: Force One page to not use SSL | |
|---|---|---|
| From: | Schnitzer, Jeff (JSch...@maxis.com) | |
| Date: | Oct 29, 2002 3:56:25 pm | |
| List: | org.apache.tomcat.users | |
I've read the list archives and I'm aware of the security "issue", but I still want to switch from HTTPS to HTTP.
Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info.
We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS->HTTP so the user is forced to log in again.
Thanks, Jeff Schnitzer jsch...@maxis.com The Sims Online
-----Original Message----- From: Craig R. McClanahan [mailto:crai...@apache.org] Sent: Monday, October 28, 2002 8:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL
On Mon, 28 Oct 2002, Rustad, Aaron wrote:
Date: Mon, 28 Oct 2002 17:48:40 -0700 From: "Rustad, Aaron" <ARus...@Online-can.com> Reply-To: Tomcat Users List <tomc...@jakarta.apache.org> To: "'tomc...@jakarta.apache.org'" <tomc...@jakarta.apache.org> Subject: Force One page to not use SSL
I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do
this
and
yes, I understand that I shouldn't.
So, if anyone knows how I can maintain the session that is given to my client from HTTPS -> HTTP I would greatly appreciate it.
There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives.
Some background:
1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13
Thanks! Aaron.
Craig