Ticket #3461 enhancement new
Use secure session cookie when connection is secure
|Reported by:||mthuurne||Owned by:||steiza|
Currently, Request.getSession() returns a cookie that is not marked as secure, even if the request was made over HTTPS. This means that for example someone in control of a WiFi access point can trick the browser into sending the session cookie unencrypted. Since session cookies are often used to remember a user who was already authenticated, this would be bad.
I think it would be useful to add the notion of a "secure session" to the Session class. A secure session would use a session cookie that is marked as secure, so it will only be transmitted over a secure connection. If a Session object is created from an HTTPS request, it should be a secure session by default.