Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 82818 invoked from network); 22 Feb 2011 18:04:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 Feb 2011 18:04:41 -0000 Received: (qmail 27899 invoked by uid 500); 22 Feb 2011 18:04:40 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 27430 invoked by uid 500); 22 Feb 2011 18:04:38 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 27421 invoked by uid 99); 22 Feb 2011 18:04:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Feb 2011 18:04:37 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Feb 2011 18:04:36 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id p1MI4Gx3027663 for ; Tue, 22 Feb 2011 18:04:16 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id p1MI4G7s027662; Tue, 22 Feb 2011 13:04:16 -0500 (EST) Date: Tue, 22 Feb 2011 13:04:16 -0500 (EST) Message-Id: <201102221804.p1MI4G7s027662@thor.apache.org> From: bugzilla@apache.org To: dev@tomcat.apache.org Subject: DO NOT REPLY [Bug 24739] Control of secure flag when establishing sessions through https using cookies X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Tomcat 4 X-Bugzilla-Component: Unknown X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: andrew@site9.net X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dev@tomcat.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=24739 --- Comment #7 from Andrew Mottaz 2011-02-22 13:04:11 EST --- You actually made my point SOME of the cookies are not secure. My point is not that you should never have secure session cookies. It's that sometimes you don't want them secure. So - if it is appropriate for the session cookie to NOT be secure ( i.e. - I'm identified but don't have any special privileges ), then I have to make sure that they hit a non-secure page first, instead of a secure log-in page. Look at facebook. You actually make the security issue worse because the security level of the cookie is seemingly arbitrary and undocumented: i.e. -- if you hit a secure page first its secure. If you hit a non-secure page first its not secure. Why not just make it an explicit setting -- Session Cookie secure or not secure. Then the developer decides explictly. As it is now, it is confusing and arbirtary, and requires that you control every access to the site -- which has a greater likelihood - that someone allows sessions to accidentally be created on a non-secure page, or that someone sets a value EXPLICITLY to non-secure when they really meant that it be secure. It's been 8 years - I don't really care about this to the extent that there are workarounds, but the proper solution IMHO is to make the security of the session cookie explicit. This improves both cases - Its MORE secure, and I can allow insecure session cookies from a secured first page log-in. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org