> -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, July 29, 2013 2:54 PM > To: Tomcat Users List > Subject: Re: secure cookies > > On 29/07/2013 21:31, Jeffrey Janner wrote: > > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > > Sent: Monday, July 29, 2013 2:29 PM > > To: 'Tomcat Users List' > > Subject: secure cookies > > > > Have a client that is wanting us to implement the following in > web.xml: > > <session-config> > > <cookie-config> > > <http-only>true</http-only> > > <secure>true</secure> > > </cookie-config> > > </session-config> > > But from what I can tell, that's only available in 7+ and we are > running at 6.latest with plans to upgrade. > > Found a site that says I can accomplish the same in 6 by setting > useHttpOnly="true" in the context and setting secure="true" in the non- > SSL connector. > > I know the former is correct, but the latter seems a stretch. Am I > correct in not trusting that answer? > > The web.xml settings are configuring all cookies to use the secure and > httpOnly flags. > > For Tomcat 6, useHttpOnly="true" at the Context level will achieve the > first. (OK so far) > > Setting secure="true" on a HTTP connector is a recipe for a massive > security hole. There are some very limited cases where it is the right > thing to do but I doubt this is one of them. What that setting will do > is tell Tomcat that all connections to that connector are secure and > Tomcat will treat them as if they were HTTPS connections and *not* > redirect things to real HTTPS if, for example, your webapp has a > transport guarantee. > > The only way I can think to set the secure flag on all cookies for > Tomcat 6 is to add a Filter that wraps the response and modifies every > cookie added via HttpServletResponse.addCookie() > > Even then if you have a request that creates a session on an HTTP > request I don't think you'll catch that. > > Mark >
Thanks for the verification, Mark. I was under the impression you'd only want to do that if you were already front-ending the site with something that was doing the SSL for you (e.g. httpd or a proxy), and the server spoke HTTP between each other. >From what I understand, if the cookie is created in response to a request that >came in on HTTPS then it will be secure, otherwise not. Our app accepts an initial request to the login page on HTTP, but should be automatically routed to the HTTPS connector due to <transport-guarantee> before the page is actually sent back. Then we actually invalidate the session and create a new on successful login, and that session/cookie is used for the rest of the user's time on the site. So all I really need to do to implement at 6.x is the context change. Correct? Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
