Tapestry 5
  1. Tapestry 5
  2. TAP5-47

Cookie is not a secure cookie even though all connection are HTTPS connections

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.15
    • Fix Version/s: 5.0.16
    • Component/s: None
    • Labels:
      None

      Description

      A lot op applications are vulerable to a sniffing 'attack' even though
      SSL is used. The vulnerability is caused by allowing the cookie to be
      sent over http (the cookie is not a secure cookie)

      See:

      http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/

      My application always uses HTTPS because I have set
      MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
      secure cookie because Tapestry does set the Cookie#setSecure attribute.

      What I would like is that Tapestry does sets Cookie#setSecure when
      SECURE_PAGE is true.

      It seems that tomcat does set the secure setting but not with Jetty.

        Activity

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Martijn Brinkers
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development