Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
May 04, 2012 04:46 PM|LINK
Sure, if the user is always over SSL.
The problem is that if initialliy the user is not SSL, but you're still using session (since it's not meant for authentication), the user will get a cookie. So then someone else on the network can steal the cookie.The the user logs in and you switch to SSL
and you now save that flag in your session... the attacker has the cookie and replays it and now your server thinks the attacker is logged in.
So if the cookie is ever sent without SSL then you have this attack vector. Also, make sure than when the browser requests images, CSS and JS the cookie is not sent -- you need to set the HTTPS only flag for the cookies (with <httpCookies requireSSL="true"/>