You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by "Filip S. Adamsen (JIRA)" <ji...@apache.org> on 2009/01/15 17:24:59 UTC
[jira] Commented: (TAP5-47) Cookie is not a secure cookie even
though all connection are HTTPS connections
[ https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12664153#action_12664153 ]
Filip S. Adamsen commented on TAP5-47:
--------------------------------------
So there is no way to turn this functionality off? I'm setting a cookie on a secured page that I need access to on subsequent insecure pages. With this change, it doesn't work anymore.
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
> Fix For: 5.0.16
>
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.