[play-framework] How can I set attribute "secure" to cookie on HTTPS connection?
1,930 views
Skip to first unread message
ikeike443
Apr 19, 2010, 8:28:49 AM4/19/10
to play-framework
Hi,
How can I set "secure" to cookie on HTTPS connection?
I did check below URL, but I'm not sure.
http://www.playframework.org/documentation/1.0.2/security
I would know how to do that, or is that necessary?
If necessary, I would get it clear it is safe unless "secure" cookie.
I love PlayFramework.
ikeike443
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
How can I set "secure" to cookie on HTTPS connection?
I did check below URL, but I'm not sure.
http://www.playframework.org/documentation/1.0.2/security
I would know how to do that, or is that necessary?
If necessary, I would get it clear it is safe unless "secure" cookie.
I love PlayFramework.
ikeike443
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
Erwan Loisant
Apr 19, 2010, 9:07:21 AM4/19/10
to play-fr...@googlegroups.com
Hi,
On Mon, Apr 19, 2010 at 14:28, ikeike443 <ikei...@gmail.com> wrote:
> How can I set "secure" to cookie on HTTPS connection?
I looked at the source code and it seems like it's not possible
currently. We should probably expose that.
> I did check below URL, but I'm not sure.
> http://www.playframework.org/documentation/1.0.2/security
>
> I would know how to do that, or is that necessary?
> If necessary, I would get it clear it is safe unless "secure" cookie.
The fact that the cookies are signed protects you from
session-hijacking: you can store the username in the session, and then
trust that the user has not modified his session cookies to pretend to
be he's someone else.
What is not safe is information that has to be kept secret. For
example, you should not store the credit card number in the session.
Having the "secure" flag on the cookie would only mean that the
browser will not send the cookie over http, only https. That would
protect from eavesdropping on a local network, but would still leave
an unencrypted trace on the user's computer so it's not recommended.
--
Erwan Loisant
On Mon, Apr 19, 2010 at 14:28, ikeike443 <ikei...@gmail.com> wrote:
> How can I set "secure" to cookie on HTTPS connection?
currently. We should probably expose that.
> I did check below URL, but I'm not sure.
> http://www.playframework.org/documentation/1.0.2/security
>
> I would know how to do that, or is that necessary?
> If necessary, I would get it clear it is safe unless "secure" cookie.
session-hijacking: you can store the username in the session, and then
trust that the user has not modified his session cookies to pretend to
be he's someone else.
What is not safe is information that has to be kept secret. For
example, you should not store the credit card number in the session.
Having the "secure" flag on the cookie would only mean that the
browser will not send the cookie over http, only https. That would
protect from eavesdropping on a local network, but would still leave
an unencrypted trace on the user's computer so it's not recommended.
--
Erwan Loisant
ikeike443
Apr 19, 2010, 10:10:02 AM4/19/10
to play-framework
Oh...
Thank you for your quick response.
"secure" flag mean less important, though it is play's problem I
think.
I never put critical information like a credit card number, but play
can't set "secure" flag means play is not very secure framework
compared to other frameworks.
I love playframework, so I strongly hope that play will be able to set
"secure" flag to cookie on HTTPS.
regards,
ikeike443
Thank you for your quick response.
"secure" flag mean less important, though it is play's problem I
think.
I never put critical information like a credit card number, but play
can't set "secure" flag means play is not very secure framework
compared to other frameworks.
I love playframework, so I strongly hope that play will be able to set
"secure" flag to cookie on HTTPS.
regards,
ikeike443
ikeike443
Apr 19, 2010, 11:12:56 AM4/19/10
to play-framework
What I can do for that at this time is to deploy my play app on
servlet container likr tomcat, or to modify play source code?
Tomcat can put "secure" flag based on customizing sever.xml, isn't it?
thanks,
ikeike443
servlet container likr tomcat, or to modify play source code?
Tomcat can put "secure" flag based on customizing sever.xml, isn't it?
thanks,
ikeike443
ikeike443
Apr 20, 2010, 5:40:52 AM4/20/10
to play-framework
I tried to set "secure" attribute to cookie by deploying on Tomcat.
I used mod_proxy_ajp, and wrote server.xml like this:
<Connector port="8009" secure="true"
enableLookups="false" redirectPort="8443" protocol="AJP/
1.3" />
Then, tomcat itself could set "secure", however play app on it
couldn't set.
Because, I think, play.mvc.Http set its "secure" field to "false" by
default and this field never turn to true except on parseRequest.
Please tell me another way to solve this problem.
If I can't solve this, I may have to switch framework and re-build my
app...
Setting secure cookie is must, on my situation.
regards,
ikeike443
I used mod_proxy_ajp, and wrote server.xml like this:
<Connector port="8009" secure="true"
enableLookups="false" redirectPort="8443" protocol="AJP/
1.3" />
Then, tomcat itself could set "secure", however play app on it
couldn't set.
Because, I think, play.mvc.Http set its "secure" field to "false" by
default and this field never turn to true except on parseRequest.
Please tell me another way to solve this problem.
If I can't solve this, I may have to switch framework and re-build my
app...
Setting secure cookie is must, on my situation.
regards,
ikeike443
Erwan Loisant
Apr 20, 2010, 5:46:39 AM4/20/10
to play-fr...@googlegroups.com
Please fill a but, I'll fix it ASAP.
ikeike443
Apr 20, 2010, 6:12:10 AM4/20/10
to play-framework
Thank you for you quick response.
I couldn't get meaning "fill a but". I'm not good at English.
Anyway, I'm glad you said "fix it".
I would set this on application.conf like below.
application.session.cookie.secure=true
regards,
ikeike443
> > For more options, visit this group athttp://groups.google.com/group/play-framework?hl=en.
I couldn't get meaning "fill a but". I'm not good at English.
Anyway, I'm glad you said "fix it".
I would set this on application.conf like below.
application.session.cookie.secure=true
regards,
ikeike443
Erwan Loisant
Apr 20, 2010, 6:15:37 AM4/20/10
to play-fr...@googlegroups.com
ikeike443
Apr 20, 2010, 6:23:59 AM4/20/10
to play-framework
I see. :)
I'll fill a bug quickly.
regards,
ikeike443
I'll fill a bug quickly.
regards,
ikeike443
ikeike443
Jun 1, 2010, 3:33:21 AM6/1/10
to play-framework
I modified play.mvc.Http.Cookie source code simply as below.
/**
* An HTTP Cookie
*/
public static class Cookie implements Serializable {
//add by ikeike443 2010.06.01
static boolean secureflag;
static{
Properties p = Play.configuration;
secureflag =
Boolean.parseBoolean(p.getProperty("ikeda.http.cookie.secure",
"false"));
}
/**
* Cookie name
*/
public String name;
/**
* Cookie domain
*/
public String domain;
/**
* Cookie path
*/
public String path = "/";
/**
* for HTTPS ?
*/
public boolean secure = secureflag;/*false;*/ //mod by
ikeike443 2010.06.01
/**
* Cookie value
*/
public String value;
/**
* Cookie max-age
*/
public Integer maxAge;
/**
* Don't use
*/
public boolean sendOnError = false;
> > >> >> > > browser will not send thecookieover http, only https. That would
/**
* An HTTP Cookie
*/
public static class Cookie implements Serializable {
//add by ikeike443 2010.06.01
static boolean secureflag;
static{
Properties p = Play.configuration;
secureflag =
Boolean.parseBoolean(p.getProperty("ikeda.http.cookie.secure",
"false"));
}
/**
* Cookie name
*/
public String name;
/**
* Cookie domain
*/
public String domain;
/**
* Cookie path
*/
public String path = "/";
/**
* for HTTPS ?
*/
public boolean secure = secureflag;/*false;*/ //mod by
ikeike443 2010.06.01
/**
* Cookie value
*/
public String value;
/**
* Cookie max-age
*/
public Integer maxAge;
/**
* Don't use
*/
public boolean sendOnError = false;
}
On 4月20日, 午後7:23, ikeike443 <ikeike...@gmail.com> wrote:
> I see. :)
>
> I'll fill a bug quickly.
>
> regards,
> ikeike443
>
> On 4月20日, 午後7:15, Erwan Loisant <elois...@gmail.com> wrote:
>
>
>
>
>
> > Sorry, it's a typo, I meant fill a bug.
>
> >https://bugs.launchpad.net/play/+filebug
>
> > On Tue, Apr 20, 2010 at 12:12, ikeike443 <ikeike...@gmail.com> wrote:
> > > Thank you for you quick response.
>
> > > I couldn't get meaning "fill a but". I'm not good at English.
>
> > > Anyway, I'm glad you said "fix it".
>
> > > I would set this on application.conf like below.
>
> > > application.session.cookie.secure=true
>
> > > regards,
> > > ikeike443
>
> > > On 4月20日, 午後6:46, Erwan Loisant <elois...@gmail.com> wrote:
> > >> Please fill a but, I'll fix it ASAP.
>
> > >> On Tue, Apr 20, 2010 at 11:40, ikeike443 <ikeike...@gmail.com> wrote:
> > >> > I tried to set "secure" attribute tocookieby deploying on Tomcat.
On 4月20日, 午後7:23, ikeike443 <ikeike...@gmail.com> wrote:
> I see. :)
>
> I'll fill a bug quickly.
>
> regards,
> ikeike443
>
> On 4月20日, 午後7:15, Erwan Loisant <elois...@gmail.com> wrote:
>
>
>
>
>
> > Sorry, it's a typo, I meant fill a bug.
>
> >https://bugs.launchpad.net/play/+filebug
>
> > On Tue, Apr 20, 2010 at 12:12, ikeike443 <ikeike...@gmail.com> wrote:
> > > Thank you for you quick response.
>
> > > I couldn't get meaning "fill a but". I'm not good at English.
>
> > > Anyway, I'm glad you said "fix it".
>
> > > I would set this on application.conf like below.
>
> > > application.session.cookie.secure=true
>
> > > regards,
> > > ikeike443
>
> > > On 4月20日, 午後6:46, Erwan Loisant <elois...@gmail.com> wrote:
> > >> Please fill a but, I'll fix it ASAP.
>
> > >> On Tue, Apr 20, 2010 at 11:40, ikeike443 <ikeike...@gmail.com> wrote:
> > >> > I used mod_proxy_ajp, and wrote server.xml like this:
> > >> > <Connector port="8009"secure="true"
> > >> > enableLookups="false" redirectPort="8443" protocol="AJP/
> > >> > 1.3" />
>
> > >> > Then, tomcat itself could set "secure", however play app on it
> > >> > couldn't set.
>
> > >> > Because, I think, play.mvc.Http set its "secure" field to "false" by
> > >> > default and this field never turn to true except on parseRequest.
>
> > >> > Please tell me another way to solve this problem.
> > >> > If I can't solve this, I may have to switch framework and re-build my
> > >> > app...
> > >> > Settingsecurecookieis must, on my situation.
> > >> > <Connector port="8009"secure="true"
> > >> > enableLookups="false" redirectPort="8443" protocol="AJP/
> > >> > 1.3" />
>
> > >> > Then, tomcat itself could set "secure", however play app on it
> > >> > couldn't set.
>
> > >> > Because, I think, play.mvc.Http set its "secure" field to "false" by
> > >> > default and this field never turn to true except on parseRequest.
>
> > >> > Please tell me another way to solve this problem.
> > >> > If I can't solve this, I may have to switch framework and re-build my
> > >> > app...
>
> > >> > regards,
> > >> > ikeike443
>
> > >> > On 4月20日, 午前12:12, ikeike443 <ikeike...@gmail.com> wrote:
> > >> >> What I can do for that at this time is to deploy my play app on
> > >> >> servlet container likr tomcat, or to modify play source code?
>
> > >> >> Tomcat can put "secure" flag based on customizing sever.xml, isn't it?
>
> > >> >> thanks,
> > >> >> ikeike443
>
> > >> >> On 4月19日, 午後11:10, ikeike443 <ikeike...@gmail.com> wrote:
>
> > >> >> > Oh...
>
> > >> >> > Thank you for your quick response.
>
> > >> >> > "secure" flag mean less important, though it is play's problem I
> > >> >> > think.
> > >> >> > I never put critical information like a credit card number, but play
> > >> >> > can't set "secure" flag means play is not verysecureframework
> > >> >> > compared to other frameworks.
>
> > >> >> > I love playframework, so I strongly hope that play will be able to set
> > >> >> > "secure" flag tocookieon HTTPS.
> > >> > regards,
> > >> > ikeike443
>
> > >> > On 4月20日, 午前12:12, ikeike443 <ikeike...@gmail.com> wrote:
> > >> >> What I can do for that at this time is to deploy my play app on
> > >> >> servlet container likr tomcat, or to modify play source code?
>
> > >> >> Tomcat can put "secure" flag based on customizing sever.xml, isn't it?
>
> > >> >> thanks,
> > >> >> ikeike443
>
> > >> >> On 4月19日, 午後11:10, ikeike443 <ikeike...@gmail.com> wrote:
>
> > >> >> > Oh...
>
> > >> >> > Thank you for your quick response.
>
> > >> >> > "secure" flag mean less important, though it is play's problem I
> > >> >> > think.
> > >> >> > I never put critical information like a credit card number, but play
> > >> >> > can't set "secure" flag means play is not verysecureframework
> > >> >> > compared to other frameworks.
>
> > >> >> > I love playframework, so I strongly hope that play will be able to set
>
> > >> >> > regards,
> > >> >> > ikeike443
>
> > >> >> > On 4月19日, 午後10:07, Erwan Loisant <elois...@gmail.com> wrote:
>
> > >> >> > > Hi,
>
> > >> >> > > On Mon, Apr 19, 2010 at 14:28, ikeike443 <ikeike...@gmail.com> wrote:
> > >> >> > > > How can I set "secure" tocookieon HTTPS connection?
> > >> >> > regards,
> > >> >> > ikeike443
>
> > >> >> > On 4月19日, 午後10:07, Erwan Loisant <elois...@gmail.com> wrote:
>
> > >> >> > > Hi,
>
> > >> >> > > On Mon, Apr 19, 2010 at 14:28, ikeike443 <ikeike...@gmail.com> wrote:
>
> > >> >> > > I looked at the source code and it seems like it's not possible
> > >> >> > > currently. We should probably expose that.
>
> > >> >> > > > I did check below URL, but I'm not sure.
> > >> >> > > >http://www.playframework.org/documentation/1.0.2/security
>
> > >> >> > > > I would know how to do that, or is that necessary?
> > >> >> > > > If necessary, I would get it clear it is safe unless "secure"cookie.
>
> > >> >> > > The fact that the cookies are signed protects you from
> > >> >> > > session-hijacking: you can store the username in the session, and then
> > >> >> > > trust that the user has not modified his session cookies to pretend to
> > >> >> > > be he's someone else.
>
> > >> >> > > What is not safe is information that has to be kept secret. For
> > >> >> > > example, you should not store the credit card number in the session.
>
> > >> >> > > Having the "secure" flag on thecookiewould only mean that the
> > >> >> > > I looked at the source code and it seems like it's not possible
> > >> >> > > currently. We should probably expose that.
>
> > >> >> > > > I did check below URL, but I'm not sure.
> > >> >> > > >http://www.playframework.org/documentation/1.0.2/security
>
> > >> >> > > > I would know how to do that, or is that necessary?
> > >> >> > > > If necessary, I would get it clear it is safe unless "secure"cookie.
>
> > >> >> > > The fact that the cookies are signed protects you from
> > >> >> > > session-hijacking: you can store the username in the session, and then
> > >> >> > > trust that the user has not modified his session cookies to pretend to
> > >> >> > > be he's someone else.
>
> > >> >> > > What is not safe is information that has to be kept secret. For
> > >> >> > > example, you should not store the credit card number in the session.
>
> > >> >> > > browser will not send thecookieover http, only https. That would
Erwan Loisant
Jun 1, 2010, 4:35:03 AM6/1/10
to play-fr...@googlegroups.com
Hi,
I've added a way to add secured cookies but I should indeed add a way
to make session cookies secured. I'll reopen bug 567169.
https://bugs.launchpad.net/play/+bug/567169
--
Erwan Loisant
ikeike443
Jun 1, 2010, 6:24:29 AM6/1/10
to play-framework
Hi,
ServletWrapper can get scheme information by calling
HttpServletRequest#getScheme, so you can set secure flag to session
cookies only on https protocol, I feel.
But ServletWrapper is available only when your app deployed on servlet
container like Tomcat, Jetty, and so on.
I tried same way at HttpHandler, but it didn't work.
regards,
ikeike443
ServletWrapper can get scheme information by calling
HttpServletRequest#getScheme, so you can set secure flag to session
cookies only on https protocol, I feel.
But ServletWrapper is available only when your app deployed on servlet
container like Tomcat, Jetty, and so on.
I tried same way at HttpHandler, but it didn't work.
regards,
ikeike443
Erwan Loisant
Jun 1, 2010, 8:18:48 AM6/1/10
to play-fr...@googlegroups.com
OK, I completed my fix to read the application.session.secure for
Flash info as well.
Flash info as well.
I don't think it's a good idea to default to cookie having the secure
flag each time the page is accessed in https. It's better to let the
developer decide when to use the secure flag and when not.
> --
> You received this message because you are subscribed to the Google Groups "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
ikeike443
Jun 1, 2010, 9:28:28 AM6/1/10
to play-framework
I agree. It is better to let us decide.
I'll try play1.1. Thank you a lot!
Keep in touch!
regards,
ikeike443
I'll try play1.1. Thank you a lot!
Keep in touch!
regards,
ikeike443
ikeike443
Jun 1, 2010, 9:47:07 AM6/1/10
to play-framework
Hi,
I think it's better to decide on application.conf and scheme
information matrix.
If application.session.secure is true and scheme is "https", put the
secure flag.
If application.session.secure is true but scheme is "http", don't put
the flag.
if application.session.secure is false, don't put the flag ever.
I would listen to your opinion.
regards,
ikeike443
I think it's better to decide on application.conf and scheme
information matrix.
If application.session.secure is true and scheme is "https", put the
secure flag.
If application.session.secure is true but scheme is "http", don't put
the flag.
if application.session.secure is false, don't put the flag ever.
I would listen to your opinion.
regards,
ikeike443
ikeike443
Jun 1, 2010, 11:57:09 PM6/1/10
to play-framework
Thank you.
I checked and ran this nightly build "play-1.1-unstable-r921.zip".
It worked well.
And I will try to implement the above matrix at adding the secure
flag, on my local repo.
regards,
ikeike443
I checked and ran this nightly build "play-1.1-unstable-r921.zip".
It worked well.
And I will try to implement the above matrix at adding the secure
flag, on my local repo.
regards,
ikeike443
Javier Rubio Larred
Mar 19, 2014, 1:30:08 PM3/19/14
to play-fr...@googlegroups.com
Hello,
I am trying to set PLAY_SESSION cookie the secure flag from the application.conf file but I do not get it. Can you please tell me what is the exact key in the config file? I have checked the documentation and it says "applicaiton.session.cookie", but I do not get it. Can you please advice?
Thank you in advance.
Regards
Byron Weber Becker
Mar 22, 2014, 8:16:45 AM3/22/14
to play-fr...@googlegroups.com
I don't know the answer to your question, but I do observe you asked it in a thread that pre-dates Play 2 and that a Google search of "application.session.cookie" turns up documentation to Play 1, not Play 2.
Byron
Reply all
Reply to author
Forward
0 new messages