A guideline from OWASP is that session cookies have their ‘secure’ flag set so the browser never transmits them in the clear.
Details are here: http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection When using HttpServletRequest’s getSession the resulting response header generated for this is of the form: Set-Cookie JSESSIONID=0QaYcX5Mp2uEoak6SG5hjQ;Path=/ This is the case even when establishing the session over https and setting the transport-guarantee to CONFIDENTIAL in the web.xml. In jetty, setting whether session cookies are secure can be configured in jetty-web.xml. Is there something equivalent for GAE? Ideally the default behavior would be to create secure sessions when sessions are created over https and there is a confidential transport guarantee specified in web.xml. -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
