Well HTTP Cookies have a solution to this problem. They have a "Secure" keyword in the Set-Cookie line. This stops the client leaking the cookie outside of a secure channel.
The problem is I dont think Tomcat keeps track and flags if a session has been exposed via a non-secure channel or not. If it did then thats all a web-app filter needs to take action and invalidate the session itself and pickup a new one (possibly transferring from old HttpSession to new HttpSession any useful non-security related attributes in the process).
Darryl --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
