If you do this make sure you also specify a default scheme, as per the docs (check the security chapter for the complete details):
<page view-id="*" scheme="http">
while I'm certainly happy that http<->https switching functionality is available (that's what I've been asking for) I was wondering if you implemented any security precautions because by switching from https back to http you open a security hole if you rely only on the jsessionid cookie / request parameter.
I.e: I login via https and get redirected - after correctly login in - to a http page. Now my sessionid was transmitted unencrypted and everyone who can listen to my network traffic can hijack my session simply by using the same sessionid (the only problem might be that the ips are different so the attacker has to be behind the same proxy).
Any clarification please ;) ?
Session management is provided by tomcat/the servlet spec, so unfortunately Seam has no control over this.