wood burning stoves 2.0*
The moose likes Servlets and the fly likes Secure login page only. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Secure login page only." Watch "Secure login page only." New topic

Secure login page only.

Bob Green
Ranch Hand

Joined: Feb 29, 2004
Posts: 93
I have the following scenario and don't know how to implement it:
I have a login page which needs to be secure with SSL. Once the user is able to login, I don't want the subsequent pages to be secured anymore. How do I accomplish that.

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

Most containers, (Tomcat is one that I know of) will keep separate sessions for secure and non-secure sessions.
This is done for a good reason. In a non-secure session the sessionid cookie is passed over the web in clear text which opens your app up to session hijacking.

If your data is secure enough to require a secure login before accessing it, isn't it work keeping the session under SSL? Why do you want to drop SSL? is it for performance reasons? If so, have you tested to see exactly how much faster your app runs without SSL than with it?

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Consider Paul's rocket mass heater.
subject: Secure login page only.
Similar Threads
Image will not display using FORM-based security
Struts2 + Authentication + Convention
Which authentication method to use ?
Authentication Problem
Authentication with JSP question and "referer" header