On 29/07/2013 22:09, Jeffrey Janner wrote: >> -----Original Message----- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Monday, July 29, 2013 2:54 PM >> To: Tomcat Users List >> Subject: Re: secure cookies >> >> On 29/07/2013 21:31, Jeffrey Janner wrote: >>> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] >>> Sent: Monday, July 29, 2013 2:29 PM >>> To: 'Tomcat Users List' >>> Subject: secure cookies >>> >>> Have a client that is wanting us to implement the following in >> web.xml: >>> <session-config> >>> <cookie-config> >>> <http-only>true</http-only> >>> <secure>true</secure> >>> </cookie-config> >>> </session-config> >>> But from what I can tell, that's only available in 7+ and we are >> running at 6.latest with plans to upgrade. >>> Found a site that says I can accomplish the same in 6 by setting >> useHttpOnly="true" in the context and setting secure="true" in the non- >> SSL connector. >>> I know the former is correct, but the latter seems a stretch. Am I >> correct in not trusting that answer? >> >> The web.xml settings are configuring all cookies to use the secure and >> httpOnly flags. >> >> For Tomcat 6, useHttpOnly="true" at the Context level will achieve the >> first. (OK so far) >> >> Setting secure="true" on a HTTP connector is a recipe for a massive >> security hole. There are some very limited cases where it is the right >> thing to do but I doubt this is one of them. What that setting will do >> is tell Tomcat that all connections to that connector are secure and >> Tomcat will treat them as if they were HTTPS connections and *not* >> redirect things to real HTTPS if, for example, your webapp has a >> transport guarantee. >> >> The only way I can think to set the secure flag on all cookies for >> Tomcat 6 is to add a Filter that wraps the response and modifies every >> cookie added via HttpServletResponse.addCookie() >> >> Even then if you have a request that creates a session on an HTTP >> request I don't think you'll catch that. >> >> Mark >> > > Thanks for the verification, Mark. I was under the impression you'd only > want to do that if you were already front-ending the site with something that > was doing the SSL for you (e.g. httpd or a proxy), and the server spoke HTTP > between each other.
Correct. That is the valid use case for setting secure="true" on an HTTP connector. > From what I understand, if the cookie is created in response to a request > that came in on HTTPS then it will be secure, otherwise not. Correct. > Our app accepts an initial request to the login page on HTTP, but should be > automatically routed to the HTTPS connector due to <transport-guarantee> > before the page is actually sent back. Then we actually invalidate the > session and create a new on successful login, and that session/cookie is used > for the rest of the user's time on the site. > So all I really need to do to implement at 6.x is the context change. Correct? Assuming the app creates no other cookies that should be fine. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
