tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 24739] Control of secure flag when establishing sessions through https using cookies
Date Tue, 22 Feb 2011 18:04:16 GMT

--- Comment #7 from Andrew Mottaz <> 2011-02-22 13:04:11 EST ---
You actually made my point SOME of the cookies are not secure.  My point is not
that you should never have secure session cookies.  It's that sometimes you
don't want them secure.   So - if it is appropriate for the session cookie to
NOT be secure ( i.e. - I'm identified but don't have any special privileges ),
then I have to make sure that they hit a non-secure page first, instead of a
secure log-in page.  Look at facebook.  

You actually make the security issue worse because the security level of the
cookie is seemingly arbitrary and undocumented:  i.e. -- if you hit a secure
page first its secure.  If you hit a non-secure page first its not secure.  Why
not just make it an explicit setting -- Session Cookie secure or not secure. 
Then the developer decides explictly.  As it is now, it is confusing and
arbirtary, and requires that you control every access to the site -- which has
a greater likelihood - that someone allows sessions to accidentally be created
on a non-secure page, or that someone sets a value EXPLICITLY to non-secure
when they really meant that it be secure.

It's been 8 years - I don't really care about this to the extent that there are
workarounds, but the proper solution IMHO is to make the security of the
session cookie explicit.  This improves both cases - Its MORE secure, and I can
allow insecure session cookies from a secured first page log-in.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message