Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-47

Cookie is not a secure cookie even though all connection are HTTPS connections

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.15
    • Fix Version/s: 5.0.16
    • Component/s: None
    • Labels:
      None

      Description

      A lot op applications are vulerable to a sniffing 'attack' even though
      SSL is used. The vulnerability is caused by allowing the cookie to be
      sent over http (the cookie is not a secure cookie)

      See:

      http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/

      My application always uses HTTPS because I have set
      MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
      secure cookie because Tapestry does set the Cookie#setSecure attribute.

      What I would like is that Tapestry does sets Cookie#setSecure when
      SECURE_PAGE is true.

      It seems that tomcat does set the secure setting but not with Jetty.

        Attachments

          Activity

            People

            • Assignee:
              hlship Howard M. Lewis Ship
              Reporter:
              martijn_brinkers Martijn Brinkers
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: