Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread stephanos 
Hi Stephan,

you are right, I didn't think about it this way. Thanks for going into 
detail :)

PS: I tried the solution with the setHeader() a while ago and if I remember 
correctly the JSESSIONID-Cookie never went through this method. Could be 
because of App Engine, not sure.


On Monday, May 26, 2014 4:29:39 PM UTC+2, Stephan Hartmann wrote:
>
> Hi Stephan,
>
> request.getSession() creates a new session if there isn't already one 
> (what's true for the first request) and its ID is available immediately 
> after that, so it will work for the first request as well.
>
> If you are creating your sessions programmatically, you may know where 
> request.getSession() is called and you could set the session cookie just 
> immediately afterwards.
>
> Another solution would be a servlet filter that wraps the response and 
> overrides the setHeader(String name, String value) method and check for 
> calls with "SET-COOKIE" for name and values beginning with "JSESSIONID" and 
> if it's the case, just append "; HttpOnly" to the value before calling the 
> setHeader method of the wrapped response.
>
> HTH,
> Stephan
>
>  
>
>
> 2014-05-26 13:56 GMT+02:00 stephanos >:
>
>> Hey Stephan,
>>
>> thanks for the suggestion! 
>>
>> But doesn't this solution write the JSESSIONID on every request? And it 
>> seems to only work after the 2nd HTTP request?
>>
>> Regards
>> Stephan :)
>>
>>
>> On Monday, May 26, 2014 12:57:30 PM UTC+2, Stephan Hartmann wrote:
>>
>>> Hi Stephanos,
>>>
>>> Please find here some suggenstions how to set the httponly flag for 
>>> session cookies on servlet containers prior to JEE6:
>>> https://www.owasp.org/index.php/HttpOnly#What_is_HttpOnly.3F
>>>
>>> Best regards,
>>> Stephan
>>>
>>>
>>>
>>> 2014-05-26 10:22 GMT+02:00 stephanos :
>>>
 Hey Vinny,

 thanks for your detailed response!

 But it seems you are talking about the 'Secure'-flag - not the 
 'HttpOnly'-flag. Because the 'HttpOnly'-flag has nothing to do with 
 HTTPS/HTTP: It prevents Javascript from accessing the cookie. So even if 
 we 
 use HTTPS everywhere (which we do) if someone is able to inject Javascript 
 into our application it can read the session cookie!


 On Monday, May 26, 2014 10:18:34 AM UTC+2, Vinny P wrote:
>
>  On Fri, May 23, 2014 at 2:53 AM, stephanos 
>  wrote:
>
> Well, this can't be! How are others solving this?
>>
>
> On Wed, Apr 30, 2014 at 3:09 AM, Vinny P  wrote:
>
> I don't believe there's a way to do that.
>> If you want a workaround, you could try hosting a HTTPS version of 
>> your site on one subdomain, and the regular HTTP version on another 
>> subdomain. Mark the cookie as only available on a single subdomain.
>>
>
>
>
> There are a couple of ways to solve this. The easiest would be to make 
> your site available through HTTPS only - detect if the user is using an 
> unencrypted connection, and if so, redirect to the HTTPS equivalent URL. 
> Forcing HTTPS everywhere isn't too much of a burden - a Gmail 
> engineer wrote that SSL accounts for less than 1% of CPU load and less 
> than 
> 2% of network 
> overhead
> . 
>  
> Another way - as I noted above - is to use unencrypted connections on 
> one subdomain and force HTTPS if using a site through a separate 
> subdomain. 
> Reddit does this: most connections on reddit are unencrypted, try this 
> link 
> and inspect in the console: http://www.reddit.com/r/google 
>  
> But if you use the pay.reddit.com subdomain, all communications are 
> forced to be encrypted. Inspect this page in your console: 
> https://pay.reddit.com/r/google . If you try and visit 
> pay.reddit.comwithout using HTTPS, you'll get an error message: 
> http://imgur.com/9K81FoB
>  
> Another alternative is to set up nginx or another server as a reverse 
> proxy, and configure it to rewrite cookies with respect to 
> secure/unsecure 
> connections. This option is difficult to configure though.
>
>
> -
> -Vinny P
> Technology & Media Advisor
> Chicago, IL
>
> App Engine Code Samples: http://www.learntogoogleit.com
>
>  -- 
 You received this message because you are subscribed to the Google 
 Groups "Google App Engine" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to google-appengi...@googlegroups.com.
 To post to this group, send email to google-a...@googlegroups.com.

 Visit this group at http://groups.google.com/group/google-appengine.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>>  -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receivi

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread Stephan Hartmann 
Hi Stephan,

request.getSession() creates a new session if there isn't already one
(what's true for the first request) and its ID is available immediately
after that, so it will work for the first request as well.

If you are creating your sessions programmatically, you may know where
request.getSession() is called and you could set the session cookie just
immediately afterwards.

Another solution would be a servlet filter that wraps the response and
overrides the setHeader(String name, String value) method and check for
calls with "SET-COOKIE" for name and values beginning with "JSESSIONID" and
if it's the case, just append "; HttpOnly" to the value before calling the
setHeader method of the wrapped response.

HTH,
Stephan




2014-05-26 13:56 GMT+02:00 stephanos :

> Hey Stephan,
>
> thanks for the suggestion!
>
> But doesn't this solution write the JSESSIONID on every request? And it
> seems to only work after the 2nd HTTP request?
>
> Regards
> Stephan :)
>
>
> On Monday, May 26, 2014 12:57:30 PM UTC+2, Stephan Hartmann wrote:
>
>> Hi Stephanos,
>>
>> Please find here some suggenstions how to set the httponly flag for
>> session cookies on servlet containers prior to JEE6:
>> https://www.owasp.org/index.php/HttpOnly#What_is_HttpOnly.3F
>>
>> Best regards,
>> Stephan
>>
>>
>>
>> 2014-05-26 10:22 GMT+02:00 stephanos :
>>
>>> Hey Vinny,
>>>
>>> thanks for your detailed response!
>>>
>>> But it seems you are talking about the 'Secure'-flag - not the
>>> 'HttpOnly'-flag. Because the 'HttpOnly'-flag has nothing to do with
>>> HTTPS/HTTP: It prevents Javascript from accessing the cookie. So even if we
>>> use HTTPS everywhere (which we do) if someone is able to inject Javascript
>>> into our application it can read the session cookie!
>>>
>>>
>>> On Monday, May 26, 2014 10:18:34 AM UTC+2, Vinny P wrote:

  On Fri, May 23, 2014 at 2:53 AM, stephanos 
  wrote:

 Well, this can't be! How are others solving this?
>

 On Wed, Apr 30, 2014 at 3:09 AM, Vinny P  wrote:

 I don't believe there's a way to do that.
> If you want a workaround, you could try hosting a HTTPS version of
> your site on one subdomain, and the regular HTTP version on another
> subdomain. Mark the cookie as only available on a single subdomain.
>



 There are a couple of ways to solve this. The easiest would be to make
 your site available through HTTPS only - detect if the user is using an
 unencrypted connection, and if so, redirect to the HTTPS equivalent URL.
 Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer
 wrote that SSL accounts for less than 1% of CPU load and less than 2% of
 network 
 overhead
 .

 Another way - as I noted above - is to use unencrypted connections on
 one subdomain and force HTTPS if using a site through a separate subdomain.
 Reddit does this: most connections on reddit are unencrypted, try this link
 and inspect in the console: http://www.reddit.com/r/google

 But if you use the pay.reddit.com subdomain, all communications are
 forced to be encrypted. Inspect this page in your console:
 https://pay.reddit.com/r/google . If you try and visit 
 pay.reddit.comwithout using HTTPS, you'll get an error message:
 http://imgur.com/9K81FoB

 Another alternative is to set up nginx or another server as a reverse
 proxy, and configure it to rewrite cookies with respect to secure/unsecure
 connections. This option is difficult to configure though.


 -
 -Vinny P
 Technology & Media Advisor
 Chicago, IL

 App Engine Code Samples: http://www.learntogoogleit.com

  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Google App Engine" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to google-appengi...@googlegroups.com.
>>> To post to this group, send email to google-a...@googlegroups.com.
>>>
>>> Visit this group at http://groups.google.com/group/google-appengine.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To post to this group, send email to google-appengine@googlegroups.com.
> Visit this group at http://groups.google.com/group/google-appengine.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to go

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread stephanos 
Hey Stephan,

thanks for the suggestion! 

But doesn't this solution write the JSESSIONID on every request? And it 
seems to only work after the 2nd HTTP request?

Regards
Stephan :)


On Monday, May 26, 2014 12:57:30 PM UTC+2, Stephan Hartmann wrote:
>
> Hi Stephanos,
>
> Please find here some suggenstions how to set the httponly flag for 
> session cookies on servlet containers prior to JEE6:
> https://www.owasp.org/index.php/HttpOnly#What_is_HttpOnly.3F
>
> Best regards,
> Stephan
>
>
>
> 2014-05-26 10:22 GMT+02:00 stephanos >:
>
>> Hey Vinny,
>>
>> thanks for your detailed response!
>>
>> But it seems you are talking about the 'Secure'-flag - not the 
>> 'HttpOnly'-flag. Because the 'HttpOnly'-flag has nothing to do with 
>> HTTPS/HTTP: It prevents Javascript from accessing the cookie. So even if we 
>> use HTTPS everywhere (which we do) if someone is able to inject Javascript 
>> into our application it can read the session cookie!
>>
>>
>> On Monday, May 26, 2014 10:18:34 AM UTC+2, Vinny P wrote:
>>>
>>>  On Fri, May 23, 2014 at 2:53 AM, stephanos 
>>>  wrote:
>>>
>>> Well, this can't be! How are others solving this?

>>>
>>> On Wed, Apr 30, 2014 at 3:09 AM, Vinny P  wrote:
>>>
>>> I don't believe there's a way to do that.
 If you want a workaround, you could try hosting a HTTPS version of your 
 site on one subdomain, and the regular HTTP version on another subdomain. 
 Mark the cookie as only available on a single subdomain.

>>>
>>>
>>>
>>> There are a couple of ways to solve this. The easiest would be to make 
>>> your site available through HTTPS only - detect if the user is using an 
>>> unencrypted connection, and if so, redirect to the HTTPS equivalent URL. 
>>> Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer 
>>> wrote that SSL accounts for less than 1% of CPU load and less than 2% of 
>>> network 
>>> overhead
>>> . 
>>>  
>>> Another way - as I noted above - is to use unencrypted connections on 
>>> one subdomain and force HTTPS if using a site through a separate subdomain. 
>>> Reddit does this: most connections on reddit are unencrypted, try this link 
>>> and inspect in the console: http://www.reddit.com/r/google 
>>>  
>>> But if you use the pay.reddit.com subdomain, all communications are 
>>> forced to be encrypted. Inspect this page in your console: 
>>> https://pay.reddit.com/r/google . If you try and visit 
>>> pay.reddit.comwithout using HTTPS, you'll get an error message: 
>>> http://imgur.com/9K81FoB
>>>  
>>> Another alternative is to set up nginx or another server as a reverse 
>>> proxy, and configure it to rewrite cookies with respect to secure/unsecure 
>>> connections. This option is difficult to configure though.
>>>
>>>
>>> -
>>> -Vinny P
>>> Technology & Media Advisor
>>> Chicago, IL
>>>
>>> App Engine Code Samples: http://www.learntogoogleit.com
>>>
>>>  -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to google-appengi...@googlegroups.com .
>> To post to this group, send email to 
>> google-a...@googlegroups.com
>> .
>> Visit this group at http://groups.google.com/group/google-appengine.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread Stephan Hartmann 
Hi Stephanos,

Please find here some suggenstions how to set the httponly flag for session
cookies on servlet containers prior to JEE6:
https://www.owasp.org/index.php/HttpOnly#What_is_HttpOnly.3F

Best regards,
Stephan



2014-05-26 10:22 GMT+02:00 stephanos :

> Hey Vinny,
>
> thanks for your detailed response!
>
> But it seems you are talking about the 'Secure'-flag - not the
> 'HttpOnly'-flag. Because the 'HttpOnly'-flag has nothing to do with
> HTTPS/HTTP: It prevents Javascript from accessing the cookie. So even if we
> use HTTPS everywhere (which we do) if someone is able to inject Javascript
> into our application it can read the session cookie!
>
>
> On Monday, May 26, 2014 10:18:34 AM UTC+2, Vinny P wrote:
>>
>> On Fri, May 23, 2014 at 2:53 AM, stephanos  wrote:
>>
>> Well, this can't be! How are others solving this?
>>>
>>
>> On Wed, Apr 30, 2014 at 3:09 AM, Vinny P  wrote:
>>
>> I don't believe there's a way to do that.
>>> If you want a workaround, you could try hosting a HTTPS version of your
>>> site on one subdomain, and the regular HTTP version on another subdomain.
>>> Mark the cookie as only available on a single subdomain.
>>>
>>
>>
>>
>> There are a couple of ways to solve this. The easiest would be to make
>> your site available through HTTPS only - detect if the user is using an
>> unencrypted connection, and if so, redirect to the HTTPS equivalent URL.
>> Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer
>> wrote that SSL accounts for less than 1% of CPU load and less than 2% of
>> network 
>> overhead
>> .
>>
>> Another way - as I noted above - is to use unencrypted connections on one
>> subdomain and force HTTPS if using a site through a separate subdomain.
>> Reddit does this: most connections on reddit are unencrypted, try this link
>> and inspect in the console: http://www.reddit.com/r/google
>>
>> But if you use the pay.reddit.com subdomain, all communications are
>> forced to be encrypted. Inspect this page in your console:
>> https://pay.reddit.com/r/google . If you try and visit pay.reddit.comwithout 
>> using HTTPS, you'll get an error message:
>> http://imgur.com/9K81FoB
>>
>> Another alternative is to set up nginx or another server as a reverse
>> proxy, and configure it to rewrite cookies with respect to secure/unsecure
>> connections. This option is difficult to configure though.
>>
>>
>> -
>> -Vinny P
>> Technology & Media Advisor
>> Chicago, IL
>>
>> App Engine Code Samples: http://www.learntogoogleit.com
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To post to this group, send email to google-appengine@googlegroups.com.
> Visit this group at http://groups.google.com/group/google-appengine.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread stephanos 
Hey Vinny,

thanks for your detailed response!

But it seems you are talking about the 'Secure'-flag - not the 
'HttpOnly'-flag. Because the 'HttpOnly'-flag has nothing to do with 
HTTPS/HTTP: It prevents Javascript from accessing the cookie. So even if we 
use HTTPS everywhere (which we do) if someone is able to inject Javascript 
into our application it can read the session cookie!


On Monday, May 26, 2014 10:18:34 AM UTC+2, Vinny P wrote:
>
> On Fri, May 23, 2014 at 2:53 AM, stephanos 
> > wrote:
>
>> Well, this can't be! How are others solving this?
>>
>
> On Wed, Apr 30, 2014 at 3:09 AM, Vinny P >
>  wrote:
>
>> I don't believe there's a way to do that.
>> If you want a workaround, you could try hosting a HTTPS version of your 
>> site on one subdomain, and the regular HTTP version on another subdomain. 
>> Mark the cookie as only available on a single subdomain.
>>
>
>
>
> There are a couple of ways to solve this. The easiest would be to make 
> your site available through HTTPS only - detect if the user is using an 
> unencrypted connection, and if so, redirect to the HTTPS equivalent URL. 
> Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer 
> wrote that SSL accounts for less than 1% of CPU load and less than 2% of 
> network 
> overhead
> . 
>  
> Another way - as I noted above - is to use unencrypted connections on one 
> subdomain and force HTTPS if using a site through a separate subdomain. 
> Reddit does this: most connections on reddit are unencrypted, try this link 
> and inspect in the console: http://www.reddit.com/r/google 
>  
> But if you use the pay.reddit.com subdomain, all communications are 
> forced to be encrypted. Inspect this page in your console: 
> https://pay.reddit.com/r/google . If you try and visit pay.reddit.comwithout 
> using HTTPS, you'll get an error message: 
> http://imgur.com/9K81FoB
>  
> Another alternative is to set up nginx or another server as a reverse 
> proxy, and configure it to rewrite cookies with respect to secure/unsecure 
> connections. This option is difficult to configure though.
>
>
> -
> -Vinny P
> Technology & Media Advisor
> Chicago, IL
>
> App Engine Code Samples: http://www.learntogoogleit.com
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-05-26 Thread Vinny P 
 On Fri, May 23, 2014 at 2:53 AM, stephanos 
 wrote:

> Well, this can't be! How are others solving this?
>

On Wed, Apr 30, 2014 at 3:09 AM, Vinny P  wrote:

> I don't believe there's a way to do that.
> If you want a workaround, you could try hosting a HTTPS version of your
> site on one subdomain, and the regular HTTP version on another subdomain.
> Mark the cookie as only available on a single subdomain.
>



There are a couple of ways to solve this. The easiest would be to make your
site available through HTTPS only - detect if the user is using an
unencrypted connection, and if so, redirect to the HTTPS equivalent URL.
Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer
wrote that SSL accounts for less than 1% of CPU load and less than 2% of
network 
overhead
.

Another way - as I noted above - is to use unencrypted connections on one
subdomain and force HTTPS if using a site through a separate subdomain.
Reddit does this: most connections on reddit are unencrypted, try this link
and inspect in the console: http://www.reddit.com/r/google

But if you use the pay.reddit.com subdomain, all communications are forced
to be encrypted. Inspect this page in your console:
https://pay.reddit.com/r/google . If you try and visit
pay.reddit.comwithout using HTTPS, you'll get an error message:
http://imgur.com/9K81FoB

Another alternative is to set up nginx or another server as a reverse
proxy, and configure it to rewrite cookies with respect to secure/unsecure
connections. This option is difficult to configure though.


-
-Vinny P
Technology & Media Advisor
Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

Re: [google-appengine] HttpOnly-Cookie in Java?

2014-04-30 Thread Vinny P 
On Wed, Apr 23, 2014 at 10:04 AM, stephanos 
 wrote:

> how do we make our JSESSIONID-Cookie HttpOnly?
> We know that App Engine runs on Servlet 2.5 which doesn't support this
> flag, but there must be a way around this.
>


I don't believe there's a way to do that.

If you want a workaround, you could try hosting a HTTPS version of your
site on one subdomain, and the regular HTTP version on another subdomain.
Mark the cookie as only available on a single subdomain.


-
-Vinny P
Technology & Media Advisor
Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

[google-appengine] HttpOnly-Cookie in Java?

2014-04-23 Thread stephanos 
Hi there,

how do we make our JSESSIONID-Cookie HttpOnly?

We know that App Engine runs on Servlet 2.5 which doesn't support this 
flag, but there must be a way around this.

Regards
Stephan

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.