[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-741) auto-redirect to HTTPS

[ http://jira.jboss.com/jira/browse/JBSEAM-741?page=comments#action_12352771 ] adsf adsf commented on JBSEAM-741: ---------------------------------- Just keep in mind that you open a security hole once you switch from https back to http! I would like to suggest to introduce a second session cookie thats _only_ transmitted via https (and created upon the first https request) - this can be verfied by the same filter that redirects to http or https. Once the cookie is transmitted via http the session is considered insecure and therfore has to be invalidated. This should work with every browser / server (although I'm not 100% sure on it so you better check it another time ;)). If you are looking for examples you might have a look at ACEGI - they have a http <-> https switching filter. Last but not least I would like to request a scheme="https" attribute for s:link too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira