15 messages in org.apache.tomcat.usersRe: Force One page to not use SSL| From | Sent On | Attachments |
|---|---|---|
| Rustad, Aaron | Oct 28, 2002 4:48 pm | |
| Craig R. McClanahan | Oct 28, 2002 8:36 pm | |
| Nicholas Pappas | Oct 29, 2002 7:44 am | |
| Rustad, Aaron | Oct 29, 2002 7:45 am | |
| Srinadh Karumuri | Oct 29, 2002 9:17 am | |
| Pae Choi | Oct 29, 2002 12:54 pm | |
| Schnitzer, Jeff | Oct 29, 2002 3:56 pm | |
| Dan Lipofsky | Oct 29, 2002 4:11 pm | |
| Justin Ruthenbeck | Oct 29, 2002 4:19 pm | |
| Rustad, Aaron | Oct 29, 2002 4:54 pm | |
| Craig R. McClanahan | Oct 29, 2002 9:55 pm | |
| Craig R. McClanahan | Oct 29, 2002 10:00 pm | |
| Bill Barker | Oct 29, 2002 10:49 pm | |
| Craig R. McClanahan | Oct 29, 2002 10:54 pm | |
| Ralph Einfeldt | Oct 30, 2002 12:06 am |
| Subject: | Re: Force One page to not use SSL | |
|---|---|---|
| From: | Dan Lipofsky (dan...@nuserve.com) | |
| Date: | Oct 29, 2002 4:11:34 pm | |
| List: | org.apache.tomcat.users | |
We do the switch, using Apache1.3.20/Tomcat3.2.4 on Solaris. We just use an absolute URL when doing the switch. No problems with lost sessions. - Dan
----- Original Message ----- I've read the list archives and I'm aware of the security "issue", but I still want to switch from HTTPS to HTTP.
Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info.
We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS->HTTP so the user is forced to log in again.