[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-741) auto-redirect to HTTPS
adsf adsf (JIRA)
jira-events at lists.jboss.org
Sat Feb 10 12:21:29 EST 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-741?page=comments#action_12352771 ]
adsf adsf commented on JBSEAM-741:
----------------------------------
Just keep in mind that you open a security hole once you switch from https back to http!
I would like to suggest to introduce a second session cookie thats _only_ transmitted via https (and created upon the first https request) - this can be verfied by the same filter that redirects to http or https. Once the cookie is transmitted via http the session is considered insecure and therfore has to be invalidated. This should work with every browser / server (although I'm not 100% sure on it so you better check it another time ;)).
If you are looking for examples you might have a look at ACEGI - they have a http <-> https switching filter.
Last but not least I would like to request a scheme="https" attribute for s:link too.
> auto-redirect to HTTPS
> ----------------------
>
> Key: JBSEAM-741
> URL: http://jira.jboss.com/jira/browse/JBSEAM-741
> Project: JBoss Seam
> Issue Type: Feature Request
> Components: Security
> Reporter: Gavin King
> Assigned To: Shane Bryzak
> Fix For: 1.1.7.GA
>
>
> We should make it easy to direct the request to https. We should also validate that requests that *should* be https actually *are* https.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list