• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How do I secure the session cookie? [was Re: General session questions...]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do I secure the session cookie? [was Re: General session questions...]


  • Subject: Re: How do I secure the session cookie? [was Re: General session questions...]
  • From: Anjo Krank <email@hidden>
  • Date: Wed, 8 Oct 2008 16:32:24 +0200

Another way would be to get the remote_host and put it in a cookie too (encrypted/hashed) and compare it in further invocations - or hash it and add it to the session ID itself.

Cheers, Anjo

Am 08.10.2008 um 14:20 schrieb Mike Schrag:

So, my question now becomes: Where can I intercept the creation of the session cookie and make sure it is secure before sending it to the user?
I read that session hijacking article a week or so ago and was meaning to add in an override to Wonder ... sooo ... If you use Wonder, you can checkout the latest commit where there is a new ERXSession method:

/**
* Override and return true if you want secure-only session and instance cookies. This prevents
* cookie hijacking man-in-the-middle attacks. Note that to make this effective (and for sessions to
* work at all), your site must be behind HTTPS at all times. In development mode, you can disable
* secure mode (@see er.extensions.ERXRequest.isSecureDisabled) for running in direct-connect
* with this mode enabled.
*
* @return whether or not secure cookies are enabled
*/
public boolean useSecureSessionCookies() {
return false;
}


Returning true for this method will cause Wonder to convert your session and instance cookies to be secure-only cookies before they go out over the wire.

ms
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
  • Follow-Ups:
    • Re: How do I secure the session cookie? [was Re: General session questions...]
      • From: Mike Schrag <email@hidden>
References: 
 >General session questions... (From: Ramsey Gurley <email@hidden>)
 >Re: General session questions... (From: Guido Neitzer <email@hidden>)
 >Re: General session questions... (From: Ramsey Gurley <email@hidden>)
 >How do I secure the session cookie? [was Re: General session questions...] (From: Ramsey Gurley <email@hidden>)
 >Re: How do I secure the session cookie? [was Re: General session questions...] (From: Mike Schrag <email@hidden>)

  • Prev by Date: Open page in a popup window
  • Next by Date: Re: Velocity EOGenerator create package problem
  • Previous by thread: Re: How do I secure the session cookie? [was Re: General session questions...]
  • Next by thread: Re: How do I secure the session cookie? [was Re: General session questions...]
  • Index(es):
    • Date
    • Thread