Tapestry 5
  1. Tapestry 5
  2. TAP5-47

Cookie is not a secure cookie even though all connection are HTTPS connections

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.15
    • Fix Version/s: 5.0.16
    • Component/s: None
    • Labels:
      None

      Description

      A lot op applications are vulerable to a sniffing 'attack' even though
      SSL is used. The vulnerability is caused by allowing the cookie to be
      sent over http (the cookie is not a secure cookie)

      See:

      http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/

      My application always uses HTTPS because I have set
      MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
      secure cookie because Tapestry does set the Cookie#setSecure attribute.

      What I would like is that Tapestry does sets Cookie#setSecure when
      SECURE_PAGE is true.

      It seems that tomcat does set the secure setting but not with Jetty.

        Activity

        Howard M. Lewis Ship made changes -
        Fix Version/s 5.0.16 [ 12313427 ]
        Resolution Fixed [ 1 ]
        Status In Progress [ 3 ] Closed [ 6 ]
        Howard M. Lewis Ship made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Howard M. Lewis Ship made changes -
        Assignee Howard M. Lewis Ship [ hlship ]
        Howard M. Lewis Ship made changes -
        Affects Version/s 5.0.15 [ 12313429 ]
        Howard M. Lewis Ship made changes -
        Issue Type Improvement [ 4 ] Bug [ 1 ]
        Affects Version/s 5.0 [ 12312018 ]
        Project Tapestry [ 10573 ] Tapestry 5 [ 12310833 ]
        Key TAPESTRY-2661 TAP5-47
        Howard M. Lewis Ship made changes -
        Field Original Value New Value
        Affects Version/s 5.0 [ 12312018 ]
        Martijn Brinkers created issue -

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Martijn Brinkers
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development