Re: Security constrant to force SSL works with apache+tomcat? - Alexander Wallace - org.apache.tomcat.users

11 messages in org.apache.tomcat.usersRe: Security constrant to force SSL w...

From	Sent On	Attachments
David Brown	Dec 6, 2002 10:34 am
Alexander Wallace	Dec 6, 2002 11:00 am
Alexander Wallace	Dec 6, 2002 11:16 am
Alexander Wallace	Dec 6, 2002 1:11 pm
Milt Epstein	Dec 6, 2002 2:17 pm
Alexander Wallace	Dec 6, 2002 2:55 pm
Craig R. McClanahan	Dec 6, 2002 6:35 pm
Tim Funk	Dec 7, 2002 7:15 am
Pae Choi	Dec 7, 2002 2:16 pm
Craig R. McClanahan	Dec 7, 2002 2:43 pm
Alexander Wallace	Dec 8, 2002 2:02 am

Subject:	Re: Security constrant to force SSL works with apache+tomcat?
From:	Alexander Wallace (tomc...@rwsoft-online.com)
Date:	Dec 8, 2002 2:02:42 am
List:	org.apache.tomcat.users

On Sat, 2002-12-07 at 03:35, Craig R. McClanahan wrote:

That's not quite right.

Starting a session in http and switching to https for the sensitive part (i.e. fill your shopping cart on http and switch for the checkout page that asks for your credit card number) is fine.

Switching from https to http, in the same session, is not fine.

But when i switch from http to https, all objects I had in the session are not accessible anymore, I asume that's becouse a new session is created. Isn't that how it is? I've been trying to find out if i can retrieve those objects in the http session (if it's anotherone). Session sharing is not possible anymore...

If it was the same session id when switching from http to https, then that would also be a security risk would not it?

Thanks!

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets