tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 24739] Control of secure flag when establishing sessions through https using cookies
Date Tue, 22 Feb 2011 17:46:07 GMT

--- Comment #6 from Mark Thomas <> 2011-02-22 12:46:02 EST ---
(In reply to comment #5)
> How can you say there are no valid use cases?  Virtually EVERY ecommerce site
> on the internet supports this behavior.

No they don't. At least the securely written ones don't. I thoroughly recommend
taking a detailed look at how Amazon does this - or at least as much as can be
deduced from looking at the HTTP headers from the client side. There is more to
it than a single session. Amazon has multiple cookies. I see 5 for that don't
have the secure flag set and one that does.

The non-secure cookies are what allows Amazon to determine who you are when you
connect over http but you can't access any security sensitive information (past
orders, addresses, credit card details etc). For that you have to use https and
that requires authentication or the presence of a valid secure cookie.

The Amazon application is using a far more sophisticated model than the single
session with a single cookie model provided by the Servlet specification. If
you want that sort of model as used by Amazon and others then you'll need to
either code it yourself or use a framework that provides it.

With respect to this particular bug the primary concern of the Tomcat
committers is security. If a session is created over https then it must remain
over https in order to remain secure.

As I have said previously, if a valid use case for creating a non-secure
session cookie over https that does not compromise security is presented then
this will be re-considered but until such time it remains WONTFIX.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message