You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@myfaces.apache.org by "Ph. Dinh" <pm...@yahoo.com> on 2013/03/26 18:04:58 UTC

MYFACES-3177

Hi,

Regarding MYFACES-3177 - Add secure flag for cookies if the page is accessed over a secured connection

https://issues.apache.org/jira/browse/MYFACES-3177

What is the rational reason behind this fix?  Is there any major issue for not having the Secure flag in the flash cookies when sending in HTTPS?  Or is it because most cookies, which are sent in HTTPS, are recommended to have the Secure flag by RFC

As I understand, secured/encrypted connection does encrypt its data (including headers).  So even without the secure flag, the cookie will still be encrypted.

Regards,