[
https://issues.apache.org/jira/browse/TAP5-47?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12664153#action_12664153
]
Filip S. Adamsen commented on TAP5-47:
--------------------------------------
So there is no way to turn this functionality off? I'm setting a cookie on a
secured page that I need access to on subsequent insecure pages. With this
change, it doesn't work anymore.
> Cookie is not a secure cookie even though all connection are HTTPS connections
> ------------------------------------------------------------------------------
>
> Key: TAP5-47
> URL: https://issues.apache.org/jira/browse/TAP5-47
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.0.15
> Reporter: Martijn Brinkers
> Assignee: Howard M. Lewis Ship
> Fix For: 5.0.16
>
>
> A lot op applications are vulerable to a sniffing 'attack' even though
> SSL is used. The vulnerability is caused by allowing the cookie to be
> sent over http (the cookie is not a secure cookie)
> See:
> http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
> My application always uses HTTPS because I have set
> MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
> secure cookie because Tapestry does set the Cookie#setSecure attribute.
> What I would like is that Tapestry does sets Cookie#setSecure when
> SECURE_PAGE is true.
> It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
