2

My web application is using SSL entirely. I wanted some info on following points :

  1. I just wanted to know that is there any chance of cookies shared on HTTP and not on secure https.

  2. Or if an application uses SSL then what will be default behavior of cookies. They will be shared over HTTP or HTTPS.

  3. Do I have to make some extra setting if I want to make sure that all cookies are shared over HTTPS only.

  4. How to make these setting (if required) for a java application.

  5. how does a secure cookies look like. Will it be visible encrypted or will not be visible at all.

In my application I am using mozilla add on : firebug to check what all cookies are secured.. I can see that few of the cookies are secured and few of them are not. So how this is working. I am not using any specific property to make secure few of the cookies.

Onki
  • 1,879
  • 6
  • 38
  • 58

1 Answers1

3

In Servlet 3.0 compliant application servers you can set the Http only and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:

<session-config>
    ...
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

See Secure and HttpOnly flags for session cookie Websphere 7

For other cookies, you can set the secure flag:

public void setSecure(boolean flag)

Indicates whether the cookie should only be sent using a secure protocol, such as HTTPS or SSL.

http://docs.oracle.com/javase/7/docs/api/java/net/HttpCookie.html#setSecure%28boolean%29

Secure cookies do not use any (additional) encryption. The SSL/TLS transport layer provides the encryption for HTTPS, so the HTTP protocol including cookies will be encrypted.

Regarding Q 1..3: if the connection uses HTTP and you mark the cookies as secure, they will be sent to the client over HTTP, but a (compliant) client will not send them back over a non-secure connection. The default value for the secure flag is not specified afaik. And so I recommend to set the secure flag for all application-spcified cookies to true if the web app is accessed over HTTPS (either directly or over a revers proxy).

Community
  • 1
  • 1
mjn
  • 36,362
  • 28
  • 176
  • 378
  • thanks @mjn for such quick response. This will secure all app specific cookies or only session cookie – Onki Oct 14 '14 at 08:01
  • thanks.. that solves my qs 4 n 5.. do you have info about 1,2,3 – Onki Oct 14 '14 at 08:45
  • @user3610891 I suggest to put your server-side code and the cookie information in a new Stackoverflow question – mjn Oct 14 '14 at 10:53