-
1. Re: Redirect to HTTPS
gavin.king Mar 1, 2007 11:17 AM (in response to monkeyden)<page scheme="https">
-
2. Re: Redirect to HTTPS
shane.bryzak Mar 1, 2007 12:47 PM (in response to monkeyden)If you do this make sure you also specify a default scheme, as per the docs (check the security chapter for the complete details):
<page view-id="*" scheme="http">
-
3. Re: Redirect to HTTPS
spambob Mar 1, 2007 1:26 PM (in response to monkeyden)Hi Shane,
while I'm certainly happy that http<->https switching functionality is available (that's what I've been asking for) I was wondering if you implemented any security precautions because by switching from https back to http you open a security hole if you rely only on the jsessionid cookie / request parameter.
I.e: I login via https and get redirected - after correctly login in - to a http page. Now my sessionid was transmitted unencrypted and everyone who can listen to my network traffic can hijack my session simply by using the same sessionid (the only problem might be that the ips are different so the attacker has to be behind the same proxy).
Any clarification please ;) ? -
4. Re: Redirect to HTTPS
shane.bryzak Mar 1, 2007 10:13 PM (in response to monkeyden)Session management is provided by tomcat/the servlet spec, so unfortunately Seam has no control over this.