A lot op applications are vulerable to a sniffing 'attack' even though SSL is used. The vulnerability is caused by allowing the cookie to be sent over http (the cookie is not a secure cookie)
See: http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/ My application always uses HTTPS because I have set MetaDataConstants.SECURE_PAGE to true. The cookie however is not a secure cookie because Tapestry does set the Cookie#setSecure attribute. What I would like is that Tapestry does sets Cookie#setSecure when SECURE_PAGE is true. Martijn --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
