On Thursday, June 16, 2011 7:35:18 PM UTC-4, pbreit wrote: > > Using session.secure() sets the "secure" flag on the session cookie which > prevents it from ever being sent over a nonsecure channel. This should be > sufficient to build a Firesheep-proof system.
I think setting the "secure" flag of the cookie simply tells the browser not to send the cookie back to the server over a nonsecure channel -- I don't think it prevents the server from sending the cooking to the browser in the first place (or even from accepting the cookie over a nonsecure channel). So, if you set session.secure() but are not using SSL, you'll still end up sending the cookie to the browser. There's also the scenario where the user session starts out nonsecure (i.e., pre-login on the non-SSL part of the site) and then switches to secure. The problem is, in that case, the session cookie has already been sent over a nonsecure channel before you end up calling session.secure(). Anthony
