So, my question now becomes: Where can I intercept the creation of
the session cookie and make sure it is secure before sending it to
the user?
I read that session hijacking article a week or so ago and was meaning
to add in an override to Wonder ... sooo ... If you use Wonder, you
can checkout the latest commit where there is a new ERXSession method:
/**
* Override and return true if you want secure-only session and
instance cookies. This prevents
* cookie hijacking man-in-the-middle attacks. Note that to make
this effective (and for sessions to
* work at all), your site must be behind HTTPS at all times. In
development mode, you can disable
* secure mode (@see er.extensions.ERXRequest.isSecureDisabled) for
running in direct-connect
* with this mode enabled.
*
* @return whether or not secure cookies are enabled
*/
public boolean useSecureSessionCookies() {
return false;
}
Returning true for this method will cause Wonder to convert your
session and instance cookies to be secure-only cookies before they go
out over the wire.
ms
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
