That it totally sweet! Any chance we could get that as a property?
return ERXProperties .booleanForKeyWithDefault ("er.extensions.ERXSession.useSecureSessionCookies", false);
Wonder is so awesome (^_^) On Oct 8, 2008, at 8:20 AM, Mike Schrag wrote:
So, my question now becomes: Where can I intercept the creation of the session cookie and make sure it is secure before sending it to the user?I read that session hijacking article a week or so ago and was meaning to add in an override to Wonder ... sooo ... If you use Wonder, you can checkout the latest commit where there is a new ERXSession method:/*** Override and return true if you want secure-only session and instance cookies. This prevents * cookie hijacking man-in-the-middle attacks. Note that to make this effective (and for sessions to * work at all), your site must be behind HTTPS at all times. In development mode, you can disable * secure mode (@see er.extensions.ERXRequest.isSecureDisabled) for running in direct-connect* with this mode enabled. * * @return whether or not secure cookies are enabled */ public boolean useSecureSessionCookies() { return false; }Returning true for this method will cause Wonder to convert your session and instance cookies to be secure-only cookies before they go out over the wire.ms _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription:http://lists.apple.com/mailman/options/webobjects-dev/rgurley %40mac.comThis email sent to [EMAIL PROTECTED]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
