Use secure session cookie when connection is secure
|Reported by:||mthuurne||Owned by:||Glyph|
branch-diff, diff-cov, branch-cov, buildbot
Currently, Request.getSession() returns a cookie that is not marked as secure, even if the request was made over HTTPS. This means that for example someone in control of a WiFi access point can trick the browser into sending the session cookie unencrypted. Since session cookies are often used to remember a user who was already authenticated, this would be bad.
I think it would be useful to add the notion of a "secure session" to the Session class. A secure session would use a session cookie that is marked as secure, so it will only be transmitted over a secure connection. If a Session object is created from an HTTPS request, it should be a secure session by default.
Change History (20)
comment:6 Changed 6 years ago by
|Owner:||changed from Glyph to Zach|
|Status:||assigned → new|