[OT] Cookie

[Deepa Khetan <de...@gmail.com>]

Hi!!
I am not geting any help from net about this issue. So, postin this question
on this group.
I want to know exactly what difference does it make if i set
Cookie.setSecure(true)?? I am using SSL in my application. What are the
advantages or disadvantages of doing it from security point of view.

Please help

Deepa

Please help give me some advice

[Sony Thomas <so...@genialgenetics.com>]

Hi,

ActionErrors is deprecated . What can I use in validate method instead 
of ActionErros.

sony

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [OT] Cookie

[Alexandre Poitras <al...@gmail.com>]

Yeah your right. I wasn't clear in my explanations. It would only
allow you to use it on a https connection so it is sent encrypted on
the network. It means your cookie will be unavailable when the user
connect through a normal Http connection (http). It will only be
available through a Http/SSL connection (https).

Deepa everything sent on the network through a https connection will
be encrypted. Nobody can interpret what is sent on the network
whenever you use https URL for your pages containing private data
(example login page). But yeah a cookie is usually saved in plain
text. Internet Explorer and Firefork allow you to see their values
quite easily so if you decide to store the user password in a cookie,
you should encrypt the value yourself before sending it.

I have never done that myself so I can't help you there. But I am sure
there are some Java security expert on this users list.

On 12/14/05, Tamas Szabo <sz...@gmail.com> wrote:
> According to my knowledge cookie.setSecure(true) doesn't encrypt
> anything. If you call it then the cookie will be sent over only over
> a secure connection. So if you have an unsecure connection the cookie
> will not be used.
>
> Tamas
>
> On 12/14/05, Deepa Khetan <de...@gmail.com> wrote:
> >
> > Thanks Alexandre!!
> > Just couple of doubts... what do u mean by "It doesn't encrypt the values
> > stored on the client. You have to do it yourself." ?? Does that mean that
> > the values will be visible in clear text?? How can i check how the data is
> >
> > getting encrypted over the network?? Do i need to use some tool for it??
> > Actually, before implementing it, i need to tell all the pros and cons for
> > secured Cookies to my client. So, i need to do my homework thoroughly.
> >
> >
> >
> > On 12/14/05, Alexandre Poitras <al...@gmail.com> wrote:
> > >
> > > If you set this property to true, your cookie will be sent over an
> > > HTTP/SSL (https) connection. What it means is that every value to be
> > > stored in this cookie are encrypted before being sent on the network.
> > > This way, any malicious third party who are *sniffing* the network
> > > can't read the values to be stored in this cookie. You should only use
> > > it if you store sensible information in the cookie that you don't want
> > > anyone to intercept. But be warned that the cookie can still be
> > > accessed by the client, so it isn't the best place to store password
> > > unless you use encrypted values. Cookie.setSecure() only encrypt data
> > > sent on the network wich are decrypted by the client when they are
> > > received. It doesn't encrypt the values stored on the client. You have
> > > to do it yourself.
> > >
> > > On 12/13/05, Deepa Khetan <de...@gmail.com> wrote:
> > > > Hi!!
> > > > I am not geting any help from net about this issue. So, postin this
> > > question
> > > > on this group.
> > > > I want to know exactly what difference does it make if i set
> > > > Cookie.setSecure(true)?? I am using SSL in my application. What are
> > the
> > > > advantages or disadvantages of doing it from security point of view.
> > > >
> > > > Please help
> > > >
> > > > Deepa
> > > >
> > > >
> > >
> > >
> > > --
> > > Alexandre Poitras
> > > Québec, Canada
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
> >
>
>


--
Alexandre Poitras
Québec, Canada

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [OT] Cookie

[Tamas Szabo <sz...@gmail.com>]

According to my knowledge cookie.setSecure(true) doesn't encrypt
anything. If you call it then the cookie will be sent over only over
a secure connection. So if you have an unsecure connection the cookie
will not be used.

Tamas

On 12/14/05, Deepa Khetan <de...@gmail.com> wrote:
>
> Thanks Alexandre!!
> Just couple of doubts... what do u mean by "It doesn't encrypt the values
> stored on the client. You have to do it yourself." ?? Does that mean that
> the values will be visible in clear text?? How can i check how the data is
>
> getting encrypted over the network?? Do i need to use some tool for it??
> Actually, before implementing it, i need to tell all the pros and cons for
> secured Cookies to my client. So, i need to do my homework thoroughly.
>
>
>
> On 12/14/05, Alexandre Poitras <al...@gmail.com> wrote:
> >
> > If you set this property to true, your cookie will be sent over an
> > HTTP/SSL (https) connection. What it means is that every value to be
> > stored in this cookie are encrypted before being sent on the network.
> > This way, any malicious third party who are *sniffing* the network
> > can't read the values to be stored in this cookie. You should only use
> > it if you store sensible information in the cookie that you don't want
> > anyone to intercept. But be warned that the cookie can still be
> > accessed by the client, so it isn't the best place to store password
> > unless you use encrypted values. Cookie.setSecure() only encrypt data
> > sent on the network wich are decrypted by the client when they are
> > received. It doesn't encrypt the values stored on the client. You have
> > to do it yourself.
> >
> > On 12/13/05, Deepa Khetan <de...@gmail.com> wrote:
> > > Hi!!
> > > I am not geting any help from net about this issue. So, postin this
> > question
> > > on this group.
> > > I want to know exactly what difference does it make if i set
> > > Cookie.setSecure(true)?? I am using SSL in my application. What are
> the
> > > advantages or disadvantages of doing it from security point of view.
> > >
> > > Please help
> > >
> > > Deepa
> > >
> > >
> >
> >
> > --
> > Alexandre Poitras
> > Québec, Canada
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>

Re: [OT] Cookie

[Deepa Khetan <de...@gmail.com>]

Thanks Alexandre!!
Just couple of doubts... what do u mean by "It doesn't encrypt the values
stored on the client. You have to do it yourself." ?? Does that mean that
the values will be visible in clear text?? How can i check how the data is
getting encrypted over the network?? Do i need to use some tool for it??
Actually, before implementing it, i need to tell all the pros and cons for
secured Cookies to my client. So, i need to do my homework thoroughly.



On 12/14/05, Alexandre Poitras <al...@gmail.com> wrote:
>
> If you set this property to true, your cookie will be sent over an
> HTTP/SSL (https) connection. What it means is that every value to be
> stored in this cookie are encrypted before being sent on the network.
> This way, any malicious third party who are *sniffing* the network
> can't read the values to be stored in this cookie. You should only use
> it if you store sensible information in the cookie that you don't want
> anyone to intercept. But be warned that the cookie can still be
> accessed by the client, so it isn't the best place to store password
> unless you use encrypted values. Cookie.setSecure() only encrypt data
> sent on the network wich are decrypted by the client when they are
> received. It doesn't encrypt the values stored on the client. You have
> to do it yourself.
>
> On 12/13/05, Deepa Khetan <de...@gmail.com> wrote:
> > Hi!!
> > I am not geting any help from net about this issue. So, postin this
> question
> > on this group.
> > I want to know exactly what difference does it make if i set
> > Cookie.setSecure(true)?? I am using SSL in my application. What are the
> > advantages or disadvantages of doing it from security point of view.
> >
> > Please help
> >
> > Deepa
> >
> >
>
>
> --
> Alexandre Poitras
> Québec, Canada
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: [OT] Cookie

[Alexandre Poitras <al...@gmail.com>]

If you set this property to true, your cookie will be sent over an
HTTP/SSL (https) connection. What it means is that every value to be
stored in this cookie are encrypted before being sent on the network.
This way, any malicious third party who are *sniffing* the network
can't read the values to be stored in this cookie. You should only use
it if you store sensible information in the cookie that you don't want
anyone to intercept. But be warned that the cookie can still be
accessed by the client, so it isn't the best place to store password
unless you use encrypted values. Cookie.setSecure() only encrypt data
sent on the network wich are decrypted by the client when they are
received. It doesn't encrypt the values stored on the client. You have
to do it yourself.

On 12/13/05, Deepa Khetan <de...@gmail.com> wrote:
> Hi!!
> I am not geting any help from net about this issue. So, postin this question
> on this group.
> I want to know exactly what difference does it make if i set
> Cookie.setSecure(true)?? I am using SSL in my application. What are the
> advantages or disadvantages of doing it from security point of view.
>
> Please help
>
> Deepa
>
>


--
Alexandre Poitras
Québec, Canada

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [OT] Cookie

[Paul Benedict <pa...@yahoo.com>]

If you setSecure(true), the cookie will ONLY be available through HTTPS.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org