https://issues.apache.org/bugzilla/show_bug.cgi?id=24739
--- Comment #7 from Andrew Mottaz <and...@site9.net> 2011-02-22 13:04:11 EST --- You actually made my point SOME of the cookies are not secure. My point is not that you should never have secure session cookies. It's that sometimes you don't want them secure. So - if it is appropriate for the session cookie to NOT be secure ( i.e. - I'm identified but don't have any special privileges ), then I have to make sure that they hit a non-secure page first, instead of a secure log-in page. Look at facebook. You actually make the security issue worse because the security level of the cookie is seemingly arbitrary and undocumented: i.e. -- if you hit a secure page first its secure. If you hit a non-secure page first its not secure. Why not just make it an explicit setting -- Session Cookie secure or not secure. Then the developer decides explictly. As it is now, it is confusing and arbirtary, and requires that you control every access to the site -- which has a greater likelihood - that someone allows sessions to accidentally be created on a non-secure page, or that someone sets a value EXPLICITLY to non-secure when they really meant that it be secure. It's been 8 years - I don't really care about this to the extent that there are workarounds, but the proper solution IMHO is to make the security of the session cookie explicit. This improves both cases - Its MORE secure, and I can allow insecure session cookies from a secured first page log-in. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
