On 07/20/2011 10:31 PM, Ulf Dittmer wrote: > Hello- > > We're using Stripes on most of our web sites, and were just now hit > by the lack of full HTTPS support > (http://www.stripesframework.org/jira/browse/STS-239). Seeing that > that issue, and the 1.6 Release of which it is part, have been a long > time in the making already, we were wondering if there's any kind of > timeframe for which this release (or just this issue) is targeted, or > hoped for? Any guidance on this would be helpful. Many thanks in > advance,
Hi, I was a little surprised by the notion that stripes does not support SSL ;-). As far as I understand things the stripes taglib just creates some relative links, so if one page is https, than all links on this page will be https as well. If you want some pages to be opened using SSL and other pages not then... I need to ask something about how sessions are managed. Your session id, that is of utter importance is transported on both SSL requests and on non-SSL requests. If someone steels your session id while you are requesting a non-SSL page, then he can hijack the session and see the SSL-pages as well. The easiest solution is of course to not have any non-SSL pages and stop worrying, but in this case you wouldn't need a new feature in Stripes. But if for some reason you feel like you must have SSL and non-SSL pages in parallel, one could for example issue two different session ids, one for the SSL-pages and another one for non-SSL pages. There is a "secure" option on cookies to tell the browser to not publish a cookie on non-ssl pages. Is anything like that done? > > Ulf Thomas ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
