May 04, 2012 05:46 PM|BrockAllen|LINK
Sure, if the user is always over SSL.
The problem is that if initialliy the user is not SSL, but you're still using session (since it's not meant for authentication), the user will get a cookie. So then someone else on the network can steal the cookie.The the user logs in and you switch to SSL
and you now save that flag in your session... the attacker has the cookie and replays it and now your server thinks the attacker is logged in.
So if the cookie is ever sent without SSL then you have this attack vector. Also, make sure than when the browser requests images, CSS and JS the cookie is not sent -- you need to set the HTTPS only flag for the cookies (with <httpCookies requireSSL="true"/>