Cookie is not a secure cookie even though all connection are HTTPS connections
------------------------------------------------------------------------------
Key: TAPESTRY-2661
URL: https://issues.apache.org/jira/browse/TAPESTRY-2661
Project: Tapestry
Issue Type: Improvement
Reporter: Martijn Brinkers
A lot op applications are vulerable to a sniffing 'attack' even though
SSL is used. The vulnerability is caused by allowing the cookie to be
sent over http (the cookie is not a secure cookie)
See:
http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
My application always uses HTTPS because I have set
MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
secure cookie because Tapestry does set the Cookie#setSecure attribute.
What I would like is that Tapestry does sets Cookie#setSecure when
SECURE_PAGE is true.
It seems that tomcat does set the secure setting but not with Jetty.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
