Josh Gooding <josh.gooding@xxxxxxxxx> writes: [...] > Run the Login.jsp through SSL, after successful login, drop the SSL. The > entire session doesn't need encrypted, only the login and password. Sure, that's possible. The general strategy is to accept the username and password on a secure connection, and if they are correct generate a session ID which can be used for future authentication. You can return this to the browser in a form or the URL (maybe in a cookie, not sure if cookies can be passed between HTTP and HTTPS sites), and the non-encrypted part of your application would just check that the session ID is valid. I don't know of an Apache module that will do this for you, and I don't know anything about Tomcat, but at a high level that's a common approach. Hope this helps, ----Scott. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|