• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How do I secure the session cookie? [was Re: General session questions...]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do I secure the session cookie? [was Re: General session questions...]

  • Subject: Re: How do I secure the session cookie? [was Re: General session questions...]
  • From: Mike Schrag <email@hidden>
  • Date: Wed, 8 Oct 2008 08:20:48 -0400
So, my question now becomes: Where can I intercept the creation of the session cookie and make sure it is secure before sending it to the user?
I read that session hijacking article a week or so ago and was meaning to add in an override to Wonder ... sooo ... If you use Wonder, you can checkout the latest commit where there is a new ERXSession method:

  /**
   * Override and return true if you want secure-only session and instance cookies.  This prevents
   * cookie hijacking man-in-the-middle attacks.  Note that to make this effective (and for sessions to 
   * work at all), your site must be behind HTTPS at all times.  In development mode, you can disable
   * secure mode (@see er.extensions.ERXRequest.isSecureDisabled) for running in direct-connect 
   * with this mode enabled.
   *  
   * @return whether or not secure cookies are enabled
   */
  public boolean useSecureSessionCookies() {
  return false;
  }

Returning true for this method will cause Wonder to convert your session and instance cookies to be secure-only cookies before they go out over the wire.

ms
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: How do I secure the session cookie? [was Re: General session questions...]
      • From: Ramsey Gurley <email@hidden>
    • Re: How do I secure the session cookie? [was Re: General session questions...]
      • From: Anjo Krank <email@hidden>
References: 
 >General session questions... (From: Ramsey Gurley <email@hidden>)
 >Re: General session questions... (From: Guido Neitzer <email@hidden>)
 >Re: General session questions... (From: Ramsey Gurley <email@hidden>)
 >How do I secure the session cookie? [was Re: General session questions...] (From: Ramsey Gurley <email@hidden>)

  • Prev by Date: Re: WOBiking
  • Next by Date: Re: How do I secure the session cookie? [was Re: General session questions...]
  • Previous by thread: How do I secure the session cookie? [was Re: General session questions...]
  • Next by thread: Re: How do I secure the session cookie? [was Re: General session questions...]
  • Index(es):
    • Date
    • Thread