Mike, thanks for your response.
You should never perform url rewriting
I plan to avoid this.
If you are creating URLs in a Servlet, ...
yes, this is my intent... I need to redirect from an insecure page to a secure login page (SSL) and then redirect to another secure page on success.
...you should use the javax.servlet.http.HttpServletRequest encodeURL method. In a JSP you should use the JSTL url tag <c:url> example.
So does this mean that the
same sessionId is used for both http and https? Meaning that a redirect from http --> https will be handled by the tag and container? I seemed to read somewhere that setting a new sessionId is a good idea for the secure component. I guess nothing is preventing me from setting a new cookie with a new (self generated) ID with quick expiration for the secure part and relying on that, right?
Also, is there a difference between <html:link> and <c:url>? do they do the same thing?
thanks for your help.
_R