This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Secure login page only.  RSS feed

 
Bob Green
Ranch Hand
Posts: 93
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have the following scenario and don't know how to implement it:
I have a login page which needs to be secure with SSL. Once the user is able to login, I don't want the subsequent pages to be secured anymore. How do I accomplish that.

TIA
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Most containers, (Tomcat is one that I know of) will keep separate sessions for secure and non-secure sessions.
This is done for a good reason. In a non-secure session the sessionid cookie is passed over the web in clear text which opens your app up to session hijacking.

If your data is secure enough to require a secure login before accessing it, isn't it work keeping the session under SSL? Why do you want to drop SSL? is it for performance reasons? If so, have you tested to see exactly how much faster your app runs without SSL than with it?
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!