You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Martijn Brinkers (JIRA)" <de...@tapestry.apache.org> on 2008/09/11 21:23:44 UTC
[jira] Created: (TAPESTRY-2661) Cookie is not a secure cookie even
though all connection are HTTPS connections
Cookie is not a secure cookie even though all connection are HTTPS connections
------------------------------------------------------------------------------
Key: TAPESTRY-2661
URL: https://issues.apache.org/jira/browse/TAPESTRY-2661
Project: Tapestry
Issue Type: Improvement
Reporter: Martijn Brinkers
A lot op applications are vulerable to a sniffing 'attack' even though
SSL is used. The vulnerability is caused by allowing the cookie to be
sent over http (the cookie is not a secure cookie)
See:
http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
My application always uses HTTPS because I have set
MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
secure cookie because Tapestry does set the Cookie#setSecure attribute.
What I would like is that Tapestry does sets Cookie#setSecure when
SECURE_PAGE is true.
It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAP5-47) Cookie is not a secure cookie even
though all connection are HTTPS connections
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645833#action_12645833 ]
Howard M. Lewis Ship commented on TAP5-47:
------------------------------------------
I think the best I can do is setSecure(true) when the request itself is secure.
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAP5-47) Cookie is not a secure cookie even
though all connection are HTTPS connections
Posted by "Martijn Brinkers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645835#action_12645835 ]
Martijn Brinkers commented on TAP5-47:
--------------------------------------
I agree. If the connection is initiated over a secure channel the session should be secured as well. There can however be a problem when a web application's login page uses HTTPS but other pages do not. If other pages do not use HTTPS the cookie won't be sent and the user is therefore not authenticated (I think). Although I think that it's better to always use HTTPS, because you are otherwise vulnerable to the 'cookie monster attack', it would be nicer if there is a setting that can disable the setSecure option. The default setting would be that setSecure is true if the connection was secure.
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Closed: (TAP5-47) Cookie is not a secure cookie even though
all connection are HTTPS connections
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship closed TAP5-47.
------------------------------------
Resolution: Fixed
Fix Version/s: 5.0.16
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
> Fix For: 5.0.16
>
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Updated: (TAPESTRY-2661) Cookie is not a secure cookie even
though all connection are HTTPS connections
Posted by "Howard M. Lewis Ship (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship updated TAPESTRY-2661:
-------------------------------------------
Affects Version/s: 5.0
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAPESTRY-2661
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2661
> Project: Tapestry
> Issue Type: Improvement
> Affects Versions: 5.0
> Reporter: Martijn Brinkers
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Assigned: (TAP5-47) Cookie is not a secure cookie even
though all connection are HTTPS connections
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship reassigned TAP5-47:
----------------------------------------
Assignee: Howard M. Lewis Ship
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org