----- Original Message -----
From: "Bill Davidson" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, June 09, 2008 7:17 PM
Subject: Re: Session lost when switching from https to http after upgrade to
Tomcat 6
Johnny Kewl wrote:
Bill... Just lose the FORM authentication, replace it with DIGEST, or
even BASIC.... I think all your problems will go away.
I'm not exactly sure what you're saying. Are you saying that I shouldn't
be
authenticating through a form?
Yes... Just because all your problems seem related to cookies, and FORM
authentication relies on cookies.
Also because I have no idea how to tell tomcat when creating the session to
lose that secure attribute, I guess one has to override a class somewhere,
and
that probably just a good indication (these TC designers are guru gods, as
clever as hell ;) that maybe moving from HTTPs to HTTP is just a bad idea.
Then I started thinking about say DIGEST/BASIC authentication which does not
work on a cookie, its going to have its own authentication headers and I
think the browser will return those even when moving from HTTPs to HTTP...
so now with FORM replaced with DIGEST say... its all legal.
And its is actually safe... it would drop the session, and make a new one...
and for the most webapps (that are not using cookies in security) thats no
problem, cookies are free ;)
So (if I'm right) FORM auth when moving from HTTPs to HTTP is bad news and
requires a kludge, ie overriding secure cookies... and even though thats
clever, it is a security hole... a hacker gets that cookie, they in.
But... DIGEST would allow the same thing, no kludge and would be safe.
Thats kinda interesting... or maybe I'm just bored ;)
I dont like the idea of "fixing" it... thats all.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]