Yeah your right. I wasn't clear in my explanations. It would only allow you to use it on a https connection so it is sent encrypted on the network. It means your cookie will be unavailable when the user connect through a normal Http connection (http). It will only be available through a Http/SSL connection (https).
Deepa everything sent on the network through a https connection will be encrypted. Nobody can interpret what is sent on the network whenever you use https URL for your pages containing private data (example login page). But yeah a cookie is usually saved in plain text. Internet Explorer and Firefork allow you to see their values quite easily so if you decide to store the user password in a cookie, you should encrypt the value yourself before sending it. I have never done that myself so I can't help you there. But I am sure there are some Java security expert on this users list. On 12/14/05, Tamas Szabo <[EMAIL PROTECTED]> wrote: > According to my knowledge cookie.setSecure(true) doesn't encrypt > anything. If you call it then the cookie will be sent over only over > a secure connection. So if you have an unsecure connection the cookie > will not be used. > > Tamas > > On 12/14/05, Deepa Khetan <[EMAIL PROTECTED]> wrote: > > > > Thanks Alexandre!! > > Just couple of doubts... what do u mean by "It doesn't encrypt the values > > stored on the client. You have to do it yourself." ?? Does that mean that > > the values will be visible in clear text?? How can i check how the data is > > > > getting encrypted over the network?? Do i need to use some tool for it?? > > Actually, before implementing it, i need to tell all the pros and cons for > > secured Cookies to my client. So, i need to do my homework thoroughly. > > > > > > > > On 12/14/05, Alexandre Poitras <[EMAIL PROTECTED]> wrote: > > > > > > If you set this property to true, your cookie will be sent over an > > > HTTP/SSL (https) connection. What it means is that every value to be > > > stored in this cookie are encrypted before being sent on the network. > > > This way, any malicious third party who are *sniffing* the network > > > can't read the values to be stored in this cookie. You should only use > > > it if you store sensible information in the cookie that you don't want > > > anyone to intercept. But be warned that the cookie can still be > > > accessed by the client, so it isn't the best place to store password > > > unless you use encrypted values. Cookie.setSecure() only encrypt data > > > sent on the network wich are decrypted by the client when they are > > > received. It doesn't encrypt the values stored on the client. You have > > > to do it yourself. > > > > > > On 12/13/05, Deepa Khetan <[EMAIL PROTECTED]> wrote: > > > > Hi!! > > > > I am not geting any help from net about this issue. So, postin this > > > question > > > > on this group. > > > > I want to know exactly what difference does it make if i set > > > > Cookie.setSecure(true)?? I am using SSL in my application. What are > > the > > > > advantages or disadvantages of doing it from security point of view. > > > > > > > > Please help > > > > > > > > Deepa > > > > > > > > > > > > > > > > > -- > > > Alexandre Poitras > > > Québec, Canada > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > -- Alexandre Poitras Québec, Canada --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
