You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GWTP's CSRF protection sets a cookie whose value is either the JSESSIONID (see HttpSessionSecurityCookieFilter) or a random number (see RandomSecurityCookieFilter).
This works since attackers can't see cookies in CSRF attacks. However, if the attacker can sniff requests then they can see the cookie value, so it would be nice to mark the cookie secure to prevent sniffing.
Right now there's no easy way to mark either HttpSessionSecurityCookieFilter or RandomSecurityCookieFilter's cookies secure. Two different ideas:
make this configurable via Guice/Spring, or
quick and dirty: detect if the request is secure and if so, make the cookie secure:
if (request.isSecure()) {
cookie.setSecure(true);
}
The text was updated successfully, but these errors were encountered:
See original discussion on the GWTP mailing list.
GWTP's CSRF protection sets a cookie whose value is either the JSESSIONID (see HttpSessionSecurityCookieFilter) or a random number (see RandomSecurityCookieFilter).
This works since attackers can't see cookies in CSRF attacks. However, if the attacker can sniff requests then they can see the cookie value, so it would be nice to mark the cookie secure to prevent sniffing.
Right now there's no easy way to mark either HttpSessionSecurityCookieFilter or RandomSecurityCookieFilter's cookies secure. Two different ideas:
The text was updated successfully, but these errors were encountered: