tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat
Date Wed, 18 Jun 2014 14:23:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Konstantin,

On 6/18/14, 5:34 AM, Konstantin Kolinko wrote:
> 2014-06-18 11:57 GMT+04:00 Konstantin Kolinko
> <knst.kolinko@gmail.com>:
>>> 
>>> HTTP/1.1 302 Found Set-Cookie:
>>> JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu,
>>> 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control:
>>> no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie:
>>> JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin;
>>> Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp 
>>> Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server:
>>> XYZ
>>> 
>> 
>> With that value of "Expires" the cookie is actually being
>> cleared, not set.
>> 
> 
> The 'Secure' flag says that the browser should never send the
> cookie to the server over a non-secure connection.
> 
> When the cookie is being cleared, the "Secure" flag is irrelevant,
> as the cookie will not be sent back by the browser.

+1

> The "HttpOnly" flag says that the cookie should not be accessible
> from Javascript code running in the browser. If the cookie is being
> deleted, is there a way to access it from Javascript? I think that
> there is no such way.

+1

I think this is a spurious error being flagged by the security
scanner. Adding "HttpOnly" and "Secure" flags to the "expire"
Set-Cookie header is just a waste of bytes because they have no effect
whatsoever on what the client does with the cookie (it always deleted
it, unless the system clock is set horribly wrong).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJToaDcAAoJEBzwKT+lPKRYY98P/jGnvGM3nFZBN3pttDIqiV6K
vKsxu1aUctQFECY0Sj4ZD4jG2C7Ydx2qx4MdEKUEzcVaP1kMdgWJIX75KvF0Dn+I
/YbgMszpGzSRJ3pGZlVZi28I64hCxnw7K/Lt2+K6YXc4btOhdf4C4Et3xv6ykrXh
C3MD97yRLeldeSVh78mCg4sYP5z6Ps1+Wwg6b11NN7f2qw5+KROfBLJY0575+cas
po7+I7kn261XL+3JCjO1qdCOEO+32/9yjMZDf6qD1dJkmAgxtY/uVPapyrLp8pQJ
M4ujXtiIjT+oTAEjtfMoWx37zNrXmM0WBj/5KIv9sZNE/hAxJ2HwpoH3qOC6M9NB
WvzpS0lvS76vqgkleO7cW5sGuqpe0Q5tOqN8SlvJ9pEnKfPJFbnW7NT94zF5TUnh
cZb2TZaB+rzqmHG178XMqv8fMQpuWlSc4bHtv+jNa79GTkSvS4ggLuw11/a8Ybic
ggt4ztVwqafek8uxI9Al4wB8t78nHE4pFNwQBlWe7xTXF9KhfqKYUFyncd2UEiW6
t8bb1I7/ZHdEGHi6hCPpwA5/HM4s6egZgyXbP4dVIxWjXbIfMOcExUV/El48IZ3S
Zj+ztxMQ6abJ/5YfjquDjDUoImSW+GnB0F52U9iJI5BUIKheHiBL/DTCB1Ihs/3M
ahfaNFJlZ+ZALbSq+x5a
=A2Gk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message