CODEWITHSUNDEEP
javasslcookieswebspherehttponly
Onki
Onki

Reputation: 2095

default behavior of cookies over SSL

My web application is using SSL entirely. I wanted some info on following points :

  1. I just wanted to know that is there any chance of cookies shared on HTTP and not on secure https.

  2. Or if an application uses SSL then what will be default behavior of cookies. They will be shared over HTTP or HTTPS.

  3. Do I have to make some extra setting if I want to make sure that all cookies are shared over HTTPS only.

  4. How to make these setting (if required) for a java application.

  5. how does a secure cookies look like. Will it be visible encrypted or will not be visible at all.

In my application I am using mozilla add on : firebug to check what all cookies are secured.. I can see that few of the cookies are secured and few of them are not. So how this is working. I am not using any specific property to make secure few of the cookies.

Upvotes: 2

Views: 3427

Answers (1)

mjn
mjn

Reputation: 36664

In Servlet 3.0 compliant application servers you can set the Http only and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:

<session-config>
    ...
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

See Secure and HttpOnly flags for session cookie Websphere 7

For other cookies, you can set the secure flag:

public void setSecure(boolean flag)

Indicates whether the cookie should only be sent using a secure protocol, such as HTTPS or SSL.

http://docs.oracle.com/javase/7/docs/api/java/net/HttpCookie.html#setSecure%28boolean%29

Secure cookies do not use any (additional) encryption. The SSL/TLS transport layer provides the encryption for HTTPS, so the HTTP protocol including cookies will be encrypted.

Regarding Q 1..3: if the connection uses HTTP and you mark the cookies as secure, they will be sent to the client over HTTP, but a (compliant) client will not send them back over a non-secure connection. The default value for the secure flag is not specified afaik. And so I recommend to set the secure flag for all application-spcified cookies to true if the web app is accessed over HTTPS (either directly or over a revers proxy).

Upvotes: 3

Related Questions