[jira] Commented: (TAP5-47) Cookie is not a secure cookie even though all connection are HTTPS connections

Fri, 07 Nov 2008 09:56:35 -0800 

    [ 
https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645835#action_12645835
 ] 

Martijn Brinkers commented on TAP5-47:
--------------------------------------

I agree. If the connection is initiated over a secure channel the session 
should be secured as well.  There can however be a problem when a web 
application's login page uses HTTPS but other pages do not. If other pages do 
not use HTTPS the cookie won't be sent and the user is therefore not 
authenticated (I think). Although I think that it's better to always use HTTPS, 
because you are otherwise vulnerable to the 'cookie monster attack', it would 
be nicer if there is a setting that can disable the setSecure option. The 
default setting would be that setSecure is true if the connection was secure.

> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
>                 Key: TAP5-47
>                 URL: https://issues.apache.org/jira/browse/TAP5-47
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.0.15
>            Reporter: Martijn Brinkers
>            Assignee: Howard M. Lewis Ship
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)  
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to