SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context #1456

Closed
spring-issuemaster opened this Issue Aug 10, 2009 · 2 comments

1 participant

@spring-issuemaster

Jared Stehler (Migrated from SEC-1217) said:

As per the aforementioned thread:

"If you use HTTPS exclusively, then it is a good idea to set the "secure" flag on the cookie. You can do this by overriding the setCookie method on the AbstractRememberMeServices implementation you are using."

This is as simple as adding a single line to AbstractRememberMeServices.setCookie():

    cookie.setSecure( request.isSecure() );

With this snippet, when the request is made from a secure context, the cooke will be sent with a 'secure' attribute set. This could be made optional with a configuration flag; I just think its messy to require clients to override this class for such simple functionality.

@spring-issuemaster

Luke Taylor said:

This is something I've been meaning to implement for a while and is a good idea. However, it's not as simple as adding that snippet of code as that assumes that the cookie will always be used over a secure connection (which may not be what's desired). A configuration flag "useSecureCookie" would probably be a better approach. If the flag is set, then the cookies will always have the secure flag set on them. More complicated behaviour can still be obtained by extending the class. In most cases where sites are ultra-concerned about security, remember-me functionality shouldn't really be used to start with.

@spring-issuemaster

Luke Taylor said:

I've added a useSecureCookie flag to the class and a corresponding use-secure-cookie attribute to the remember-me namespace element.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment