Thank you! Sorry ... I guess this had nothing to do with CakePHP.
On Jun 9, 11:34 pm, "David C. Zentgraf" <[EMAIL PROTECTED]> wrote:
> http://cookies.lcs.mit.edu/sslflag.html
>
> > One of the values in a cookie is the SSL? bit. If this bit is set to
> > true, then the cookie will only be sent back to the server over a
> > connection which is encrypted with SSL. If it is set to false, the
> > cookie will be sent whenever the user visits the domain.
>
> On 10 Jun 2008, at 14:44, aranworld wrote:
>
>
>
> > So, the secure flag gets set in the cookie itself and ensures that the
> > cookie is only ever read over a secure connection?
>
> > PHP Manual says:
>
> > When set to TRUE, the cookie will only be set if a secure connection
> > exists.
> > The default is FALSE. On the server-side, it's on the programmer to
> > send this
> > kind of cookie only on secure connection (e.g. with respect to
> > $_SERVER["HTTPS"]).
>
> > This last part about it being "on the programmer" is what confuses
> > me. This suggests to me that the "secure" parameter only applies to
> > the setting of a cookie, but that I, the programmer, have to do
> > something on my end to continue to keep it secure after it is set.
>
> > -Aran
>
> > On Jun 9, 10:07 pm, "David C. Zentgraf" <[EMAIL PROTECTED]> wrote:
> >> Because the browser won't hand the cookie back to Cake over a non-SSL
> >> connection anyway if it's been set as secure cookie(?).
>
> >> On 10 Jun 2008, at 13:57, aranworld wrote:
>
> >>> In the cookie component there is:
>
> >>> $secure = false
>
> >>> If set to true, it will only allow you to write a cookie if the
> >>> connect is through an HTTPS connection.
>
> >>> But this flag has no impact on reading cookies. The component
> >>> provides not method for ensuring that a cookie is only read under an
> >>> SSL connection.
>
> >>> Am I misunderstanding something? If we secure the writing of the
> >>> cookie, don't we also need to secure the reading of that same cookie
> >>> to prevent hijacking?
>
> >>> Can someone explain why this SSL check for reading cookies isn't in
> >>> the Component code?
>
> >>> -Aran
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
