[TAP5-47] Cookie is not a secure cookie even though all connection are HTTPS connections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.0.15
Fix Version/s: 5.0.16
Component/s: None
Labels:
None

Description

A lot op applications are vulerable to a sniffing 'attack' even though
SSL is used. The vulnerability is caused by allowing the cookie to be
sent over http (the cookie is not a secure cookie)

See:

http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/

My application always uses HTTPS because I have set
MetaDataConstants.SECURE_PAGE to true. The cookie however is not a
secure cookie because Tapestry does set the Cookie#setSecure attribute.

What I would like is that Tapestry does sets Cookie#setSecure when
SECURE_PAGE is true.

It seems that tomcat does set the secure setting but not with Jetty.

Attachments

Activity

People

Assignee:: Howard Lewis Ship

Reporter:: Martijn Brinkers

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Sep/08 19:22

Updated:: 15/Jan/09 16:23

Resolved:: 07/Nov/08 18:20