We do the switch, using Apache1.3.20/Tomcat3.2.4 on Solaris.
We just use an absolute URL when doing the switch.
No problems with lost sessions.
----- Original Message -----
I've read the list archives and I'm aware of the security "issue", but I
still want to switch from HTTPS to HTTP.
Yes, I know someone could hijack the session. We're not worried about
that; at worst someone could make some obnoxious posts to a forum. We
force users to submit their password a second time (and go into SSL, of
course) whenever anything sensitive is touched, such as passwords or
credit card info.
We get a _lot_ of traffic. Running everything under SSL is not really
an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In
our current configuration, it appears that the session is getting lost
in the transition from HTTPS->HTTP so the user is forced to log in
To unsubscribe, e-mail: <mailto:tomc...@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomc...@jakarta.apache.org>