4 Replies Latest reply on Mar 1, 2007 10:13 PM by shane.bryzak

    Redirect to HTTPS

    monkeyden

      Can I redirect from HTTP to HTTPS, by way of pages.xml, by specifying a param to the element? As in:

        • 1. Re: Redirect to HTTPS
          gavin.king

           

          <page scheme="https">


          • 2. Re: Redirect to HTTPS
            shane.bryzak

            If you do this make sure you also specify a default scheme, as per the docs (check the security chapter for the complete details):

             <page view-id="*" scheme="http">
            


            • 3. Re: Redirect to HTTPS
              spambob

              Hi Shane,

              while I'm certainly happy that http<->https switching functionality is available (that's what I've been asking for) I was wondering if you implemented any security precautions because by switching from https back to http you open a security hole if you rely only on the jsessionid cookie / request parameter.

              I.e: I login via https and get redirected - after correctly login in - to a http page. Now my sessionid was transmitted unencrypted and everyone who can listen to my network traffic can hijack my session simply by using the same sessionid (the only problem might be that the ips are different so the attacker has to be behind the same proxy).

              Any clarification please ;) ?

              • 4. Re: Redirect to HTTPS
                shane.bryzak

                Session management is provided by tomcat/the servlet spec, so unfortunately Seam has no control over this.