id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,branch,branch_author,launchpad_bug
3461,Use secure session cookie when connection is secure,mthuurne,steiza,"Currently, Request.getSession() returns a cookie that is not marked as secure, even if the request was made over HTTPS. This means that for example someone in control of a !WiFi access point can trick the browser into sending the session cookie unencrypted. Since session cookies are often used to remember a user who was already authenticated, this would be bad.

I think it would be useful to add the notion of a ""secure session"" to the Session class. A secure session would use a session cookie that is marked as secure, so it will only be transmitted over a secure connection. If a Session object is created from an HTTPS request, it should be a secure session by default.
",enhancement,new,high,,web,,,,branches/secure-session-3461,steiza,