You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Frederick N. Brier" <fb...@multideck.com> on 2001/10/16 05:49:12 UTC
Encrypted session cookies?
It seemed to me session IDs stored in cookies could be exploited since they
can be transmitted in the clear. Then I saw this message from a year ago
which talked about exploiting unencrypted cookies.
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg00423.html
It appears that Catalina session Cookie(s) are encrypted [ setSecure() ] if
the when the session is created that Request is also "secure"
[WarpResponse.java, line 220]. However, if the session has already been
created, and then a person logs in, the session cookie would not be
setSecure(). Is this correct? Is there an easy way to set it up so the
session Cookie(s) are always encrypted? Thank you.
Re: Encrypted session cookies?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
The Cookie.setSecure() method does *not* encrypt anything. It merely sets
a flag that tells the browser to only return this cookie on a secure
session.
If you don't want your session IDs to be snooped, you should always run
across SSL.
Craig McClanahan
On Mon, 15 Oct 2001, Frederick N. Brier wrote:
> Date: Mon, 15 Oct 2001 23:49:12 -0400
> From: Frederick N. Brier <fb...@multideck.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Encrypted session cookies?
>
> It seemed to me session IDs stored in cookies could be exploited since they
> can be transmitted in the clear. Then I saw this message from a year ago
> which talked about exploiting unencrypted cookies.
>
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg00423.html
>
> It appears that Catalina session Cookie(s) are encrypted [ setSecure() ] if
> the when the session is created that Request is also "secure"
> [WarpResponse.java, line 220]. However, if the session has already been
> created, and then a person logs in, the session cookie would not be
> setSecure(). Is this correct? Is there an easy way to set it up so the
> session Cookie(s) are always encrypted? Thank you.
>
>