On Oct 7, 2008, at 9:37 PM, Ramsey Gurley wrote:
I guess my question is: Are session cookies secure by default if a certificate is available? I know, I should just generate a certificate and test it, but was hoping you guys could save me that effort until I'm ready to mess with it :-) I ask, because it is my understanding that even if the entire site was https, an attacker could still hijack an insecure cookie and completely defeat my website's security...http://fscked.org/blog/fully-automated-active-https-cookie-hijackingWell thanks for your insight so far Guido! You're always a huge help, and I do appreciate it :-)
Hmm, according to the docs, it is not http://developer.apple.com/documentation/DeveloperTools/Reference/WO541Reference/com/webobjects/appserver/WOCookie.html#isSecure()So, my question now becomes: Where can I intercept the creation of the session cookie and make sure it is secure before sending it to the user?
Thanks everyone, Ramsey
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
