[
https://issues.apache.org/jira/browse/TAPESTRY-2661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Howard M. Lewis Ship updated TAPESTRY-2661:
-------------------------------------------
Affects Version/s: 5.0
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAPESTRY-2661
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2661
> Project: Tapestry
> Issue Type: Improvement
> Affects Versions: 5.0
> Reporter: Martijn Brinkers
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
