Affects Version/s: 5.0.15
Fix Version/s: 5.0.16
A lot op applications are vulerable to a sniffing 'attack' even though
SSL is used. The vulnerability is caused by allowing the cookie to be
sent over http (the cookie is not a secure cookie)
My application always uses HTTPS because I have set
MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
secure cookie because Tapestry does set the Cookie#setSecure attribute.
What I would like is that Tapestry does sets Cookie#setSecure when
SECURE_PAGE is true.
It seems that tomcat does set the secure setting but not with Jetty.
|Field||Original Value||New Value|
|Affects Version/s||5.0 [ 12312018 ]|
|Affects Version/s||5.0.15 [ 12313429 ]|
|Assignee||Howard M. Lewis Ship [ hlship ]|
|Status||Open [ 1 ]||In Progress [ 3 ]|
|Fix Version/s||5.0.16 [ 12313427 ]|
|Resolution||Fixed [ 1 ]|
|Status||In Progress [ 3 ]||Closed [ 6 ]|
|Transition||Time In Source Status||Execution Times||Last Executer||Last Execution Date|
|56d 22h 15m||1||Howard M. Lewis Ship||07/Nov/08 17:38|
|42m 14s||1||Howard M. Lewis Ship||07/Nov/08 18:20|