[
https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645833#action_12645833
]
Howard M. Lewis Ship commented on TAP5-47:
------------------------------------------
I think the best I can do is setSecure(true) when the request itself is secure.
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
