How do I secure the session cookie? [was Re: General session questions...]
How do I secure the session cookie? [was Re: General session questions...]
- Subject: How do I secure the session cookie? [was Re: General session questions...]
- From: Ramsey Gurley <email@hidden>
- Date: Tue, 07 Oct 2008 22:05:36 -0400
On Oct 7, 2008, at 9:37 PM, Ramsey Gurley wrote:
I guess my question is: Are session cookies secure by default if a
certificate is available? I know, I should just generate a
certificate and test it, but was hoping you guys could save me that
effort until I'm ready to mess with it :-) I ask, because it is my
understanding that even if the entire site was https, an attacker
could still hijack an insecure cookie and completely defeat my
website's security...
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
Well thanks for your insight so far Guido! You're always a huge
help, and I do appreciate it :-)
Hmm, according to the docs, it is not
http://developer.apple.com/documentation/DeveloperTools/Reference/WO541Reference/com/webobjects/appserver/WOCookie.html#isSecure()
So, my question now becomes: Where can I intercept the creation of the
session cookie and make sure it is secure before sending it to the user?
Thanks everyone,
Ramsey
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden