Re: [Resin-interest] Cookie security over SSL (https) connections - Sent Using Google Toolbar
I think you need to make sure you are using an SSL connection
(request.isSecure()) before you create the Cookies in the first place.
The behaviour when changing a non-secure cookie to a secure one may be
browser dependant.//
//
/Mattias
//
//Abhinav Gupta wrote (2009-09-10 14:34):
Thanks Jeff,
But we are creating no cookies by our own. Our requirement is to just
secure the Apache OR Resin created Cookies for session management.
So we created a generic filter for that.
Regards,
Abhinav
[Resin-interest] Cookie security over SSL (https) connections
http://maillist.caucho.com/pipermail/resin-interest/2009-September/004027.html
[Resin-interest] Cookie security over SSL (https) connections
*Jeff Schnitzer* jeff at infohazard.org
mailto:resin-interest%40caucho.com?Subject=%5BResin-interest%5D%20Cookie%20security%20over%20SSL%20%28https%29%20connectionsIn-Reply-To=915837840909090344ye834f35t23cbd41bd44c423b%40mail.gmail.com
/Wed Sep 9 09:30:32 CDT 2009/
* Previous message: [Resin-interest] Cookie security over SSL
(https) connections
http://maillist.caucho.com/pipermail/resin-interest/2009-September/004026.html
* *Messages sorted by:* [ date ]
http://maillist.caucho.com/pipermail/resin-interest/2009-September/date.html#4027
[ thread ]
http://maillist.caucho.com/pipermail/resin-interest/2009-September/thread.html#4027
[ subject ]
http://maillist.caucho.com/pipermail/resin-interest/2009-September/subject.html#4027
[ author ]
http://maillist.caucho.com/pipermail/resin-interest/2009-September/author.html#4027
Why aren't you creating the cookies with setSecure(true) in the first place?
If you have tons of legacy code that sets cookies, why not create a
Filter that wraps HttpServletResponse (there is a convenient
HttpServletResponseWrapper for this), intercepts the addCookie()
method calls, and calls setSecure(true)?
If you want this value set, you need to set it outbound, not after
they've already been to the browser.
Jeff
On Wed, Sep 9, 2009 at 3:44 AM, Abhinav Guptaabhinav at appirio.com
http://maillist.caucho.com/mailman/listinfo/resin-interest wrote:
/ Hi All,
//
//
// This problem is regarding cookie security over SSL(https). We are running
a
// J2EE webapplication, our motive is to get the cookie's isSecure flag set
// to true. We tried researching around the resin config settings for this
but
// no luck. Details of the approach we tried and the issue faced are
elaborated
// below.
//
// Enviornment Details
//
// 1. Resin 3.1.7 server running a webapplication called tool
// 2. Apache is in the front forwarding/redirecting all inbound traffic to
the
// resin server.
// 3. Apache is setup with trusted SSL certificates from godaddy.
//
//
// Problem Details
//
// By default for all secure https requests, resin is sending cookies back
with
// isSecure flag as false.
// We tried looking for resin config settings to fix this, but can't find any
// setting. So we created a Servlet filter in our webapp
// to trap all inbound requests and manually set the isSecure flag to true.
//
// This servlet filter approach partially fixed the problem. We are saying
// partially because there are two cookies created by
// the application in browser.
//
// Cookie 1: Its path is domain name/ and the isSecure flag is false
// Cookie 2: Its path is domain name/tools and the isSecure flag is
true
//
// So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix
this
// we tried deploying the same servlet filter in the ROOT webapp of resin.
But
// the problem persisted as before.
//
//
// Here is the servlet filter code.
//
// public class CookieFilter implements Filter {
//
// public void doFilter(ServletRequest req, ServletResponse res,
// FilterChain chain) throws ServletException, IOException {
// // Secure if its a Http based request
// if (req instanceof HttpServletRequest) {
// HttpServletRequest httpReq = (HttpServletRequest) req;
// HttpServletResponse httpRes = (HttpServletResponse) res;
// Cookie[] cookies = httpReq.getCookies();
// if (cookies != null cookies.length 0) {
// for (Cookie cookie : cookies) {
// // Make the cookie secure
// cookie.setSecure(true);
// // Add it to the response
// httpRes.addCookie(cookie);
// }
// }
// }
// chain.doFilter(req, res);
// }
//
// public void init(FilterConfig arg0) throws ServletException {
// }
//
// public void destroy() {
// }
//
// }
//
// Please suggest.
//
// Regards,
// Abhinav
[Resin-interest] Cookie security over SSL (https) connections - Sent Using Google Toolbar
Thanks Jeff,
But we are creating no cookies by our own. Our requirement is to just secure
the Apache OR Resin created Cookies for session management.
So we created a generic filter for that.
Regards,
Abhinav
[Resin-interest] Cookie security over SSL (https)
connectionshttp://maillist.caucho.com/pipermail/resin-interest/2009-September/004027.html
[Resin-interest] Cookie security over SSL (https) connections *Jeff
Schnitzer* jeff at infohazard.org
resin-interest%40caucho.com?Subject=%5BResin-interest%5D%20Cookie%20security%20over%20SSL%20%28https%29%20connectionsIn-Reply-To=915837840909090344ye834f35t23cbd41bd44c423b%40mail.gmail.com
*Wed Sep 9 09:30:32 CDT 2009*
- Previous message: [Resin-interest] Cookie security over SSL (https)
connections
http://maillist.caucho.com/pipermail/resin-interest/2009-September/004026.html
- *Messages sorted by:* [ date
]http://maillist.caucho.com/pipermail/resin-interest/2009-September/date.html#4027
[
thread
]http://maillist.caucho.com/pipermail/resin-interest/2009-September/thread.html#4027
[
subject
]http://maillist.caucho.com/pipermail/resin-interest/2009-September/subject.html#4027
[
author
]http://maillist.caucho.com/pipermail/resin-interest/2009-September/author.html#4027
--
Why aren't you creating the cookies with setSecure(true) in the first place?
If you have tons of legacy code that sets cookies, why not create a
Filter that wraps HttpServletResponse (there is a convenient
HttpServletResponseWrapper for this), intercepts the addCookie()
method calls, and calls setSecure(true)?
If you want this value set, you need to set it outbound, not after
they've already been to the browser.
Jeff
On Wed, Sep 9, 2009 at 3:44 AM, Abhinav Guptaabhinav at appirio.com
http://maillist.caucho.com/mailman/listinfo/resin-interest wrote:
* Hi All,
**
**
** This problem is regarding cookie security over SSL(https). We are running a
** J2EE webapplication, our motive is to get the cookie's isSecure flag set
** to true. We tried researching around the resin config settings for this but
** no luck. Details of the approach we tried and the issue faced are elaborated
** below.
**
** Enviornment Details
**
** 1. Resin 3.1.7 server running a webapplication called tool
** 2. Apache is in the front forwarding/redirecting all inbound traffic to the
** resin server.
** 3. Apache is setup with trusted SSL certificates from godaddy.
**
**
** Problem Details
**
** By default for all secure https requests, resin is sending cookies back with
** isSecure flag as false.
** We tried looking for resin config settings to fix this, but can't find any
** setting. So we created a Servlet filter in our webapp
** to trap all inbound requests and manually set the isSecure flag to true.
**
** This servlet filter approach partially fixed the problem. We are saying
** partially because there are two cookies created by
** the application in browser.
**
** Cookie 1: Its path is domain name/ and the isSecure flag is false
** Cookie 2: Its path is domain name/tools and the isSecure flag is true
**
** So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this
** we tried deploying the same servlet filter in the ROOT webapp of resin. But
** the problem persisted as before.
**
**
** Here is the servlet filter code.
**
** public class CookieFilter implements Filter {
**
** public void doFilter(ServletRequest req, ServletResponse res,
** FilterChain chain) throws ServletException, IOException {
** // Secure if its a Http based request
** if (req instanceof HttpServletRequest) {
** HttpServletRequest httpReq = (HttpServletRequest) req;
** HttpServletResponse httpRes = (HttpServletResponse) res;
** Cookie[] cookies = httpReq.getCookies();
** if (cookies != null cookies.length 0) {
** for (Cookie cookie : cookies) {
** // Make the cookie secure
** cookie.setSecure(true);
** // Add it to the response
** httpRes.addCookie(cookie);
** }
** }
** }
** chain.doFilter(req, res);
** }
**
** public void init(FilterConfig arg0) throws ServletException {
** }
**
** public void destroy() {
** }
**
** }
**
** Please suggest.
**
** Regards,
** Abhinav
**
** ___
** resin-interest mailing list
** resin-interest at caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
** http://maillist.caucho.com/mailman/listinfo/resin-interest
**
**
*
--
- Previous message: [Resin-interest] Cookie security over SSL (https)
connections
http://maillist.caucho.com/pipermail/resin-interest/2009-September/004026.html
- *Messages sorted by:* [ date
]http://maillist.caucho.com/pipermail/resin-interest/2009
Re: [Resin-interest] Cookie security over SSL (https) connections
Hi!
Have you tried using ssl-session-cookie configuration?
Here's the documentation:
http://caucho.com/resin-3.1/doc/cluster-tags.xtp#ssl-session-cookie
Cheers,
Kai
2009/9/9 Abhinav Gupta abhi...@appirio.com:
Hi All,
This problem is regarding cookie security over SSL(https). We are running a
J2EE webapplication, our motive is to get the cookie's isSecure flag set
to true. We tried researching around the resin config settings for this but
no luck. Details of the approach we tried and the issue faced are elaborated
below.
Enviornment Details
1. Resin 3.1.7 server running a webapplication called tool
2. Apache is in the front forwarding/redirecting all inbound traffic to the
resin server.
3. Apache is setup with trusted SSL certificates from godaddy.
Problem Details
By default for all secure https requests, resin is sending cookies back with
isSecure flag as false.
We tried looking for resin config settings to fix this, but can't find any
setting. So we created a Servlet filter in our webapp
to trap all inbound requests and manually set the isSecure flag to true.
This servlet filter approach partially fixed the problem. We are saying
partially because there are two cookies created by
the application in browser.
Cookie 1: Its path is domain name/ and the isSecure flag is false
Cookie 2: Its path is domain name/tools and the isSecure flag is true
So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this
we tried deploying the same servlet filter in the ROOT webapp of resin. But
the problem persisted as before.
Here is the servlet filter code.
public class CookieFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws ServletException, IOException {
// Secure if its a Http based request
if (req instanceof HttpServletRequest) {
HttpServletRequest httpReq = (HttpServletRequest) req;
HttpServletResponse httpRes = (HttpServletResponse) res;
Cookie[] cookies = httpReq.getCookies();
if (cookies != null cookies.length 0) {
for (Cookie cookie : cookies) {
// Make the cookie secure
cookie.setSecure(true);
// Add it to the response
httpRes.addCookie(cookie);
}
}
}
chain.doFilter(req, res);
}
public void init(FilterConfig arg0) throws ServletException {
}
public void destroy() {
}
}
Please suggest.
Regards,
Abhinav
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
[Resin-interest] Cookie security over SSL (https) connections
Hi All,
This problem is regarding cookie security over SSL(https). We are running a
J2EE webapplication, our motive is to get the cookie's isSecure flag set
to true. We tried researching around the resin config settings for this but
no luck. Details of the approach we tried and the issue faced are elaborated
below.
Enviornment Details
1. Resin 3.1.7 server running a webapplication called tool
2. Apache is in the front forwarding/redirecting all inbound traffic to the
resin server.
3. Apache is setup with trusted SSL certificates from godaddy.
Problem Details
By default for all secure https requests, resin is sending cookies back with
isSecure flag as false.
We tried looking for resin config settings to fix this, but can't find any
setting. So we created a Servlet filter in our webapp
to trap all inbound requests and manually set the isSecure flag to true.
This servlet filter approach partially fixed the problem. We are saying
partially because there are two cookies created by
the application in browser.
Cookie 1: Its path is domain name/ and the isSecure flag is false
Cookie 2: Its path is domain name/tools and the isSecure flag is true
So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this
we tried deploying the same servlet filter in the ROOT webapp of resin. But
the problem persisted as before.
Here is the servlet filter code.
public class CookieFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws ServletException, IOException {
// Secure if its a Http based request
if (req instanceof HttpServletRequest) {
HttpServletRequest httpReq = (HttpServletRequest) req;
HttpServletResponse httpRes = (HttpServletResponse) res;
Cookie[] cookies = httpReq.getCookies();
if (cookies != null cookies.length 0) {
for (Cookie cookie : cookies) {
// Make the cookie secure
cookie.setSecure(true);
// Add it to the response
httpRes.addCookie(cookie);
}
}
}
chain.doFilter(req, res);
}
public void init(FilterConfig arg0) throws ServletException {
}
public void destroy() {
}
}
Please suggest.
Regards,
Abhinav
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Cookie security over SSL (https) connections
Why aren't you creating the cookies with setSecure(true) in the first place?
If you have tons of legacy code that sets cookies, why not create a
Filter that wraps HttpServletResponse (there is a convenient
HttpServletResponseWrapper for this), intercepts the addCookie()
method calls, and calls setSecure(true)?
If you want this value set, you need to set it outbound, not after
they've already been to the browser.
Jeff
On Wed, Sep 9, 2009 at 3:44 AM, Abhinav Guptaabhi...@appirio.com wrote:
Hi All,
This problem is regarding cookie security over SSL(https). We are running a
J2EE webapplication, our motive is to get the cookie's isSecure flag set
to true. We tried researching around the resin config settings for this but
no luck. Details of the approach we tried and the issue faced are elaborated
below.
Enviornment Details
1. Resin 3.1.7 server running a webapplication called tool
2. Apache is in the front forwarding/redirecting all inbound traffic to the
resin server.
3. Apache is setup with trusted SSL certificates from godaddy.
Problem Details
By default for all secure https requests, resin is sending cookies back with
isSecure flag as false.
We tried looking for resin config settings to fix this, but can't find any
setting. So we created a Servlet filter in our webapp
to trap all inbound requests and manually set the isSecure flag to true.
This servlet filter approach partially fixed the problem. We are saying
partially because there are two cookies created by
the application in browser.
Cookie 1: Its path is domain name/ and the isSecure flag is false
Cookie 2: Its path is domain name/tools and the isSecure flag is true
So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this
we tried deploying the same servlet filter in the ROOT webapp of resin. But
the problem persisted as before.
Here is the servlet filter code.
public class CookieFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws ServletException, IOException {
// Secure if its a Http based request
if (req instanceof HttpServletRequest) {
HttpServletRequest httpReq = (HttpServletRequest) req;
HttpServletResponse httpRes = (HttpServletResponse) res;
Cookie[] cookies = httpReq.getCookies();
if (cookies != null cookies.length 0) {
for (Cookie cookie : cookies) {
// Make the cookie secure
cookie.setSecure(true);
// Add it to the response
httpRes.addCookie(cookie);
}
}
}
chain.doFilter(req, res);
}
public void init(FilterConfig arg0) throws ServletException {
}
public void destroy() {
}
}
Please suggest.
Regards,
Abhinav
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
