HomeDeveloper ForumsEcho 2.x Platform (Echo2)Help & Support (Echo2)

HTTPS Cookie Hijacking

Tue, 09/09/2008 - 13:01 — wordybird123

I have an HTTPS site with Echo2. I am wondering if there is any way to force cookies into secure only mode.

I noticed from this link that it is possible to sniff cookies and use them in an exploit, and also that echo2 seems to never set up cookies in the send / receive only via https mode.

Thanks.

‹ IE + ListBox scrolling to top after selection An application error has occured. Your session has been reset ›
Thu, 09/11/2008 - 04:12 — wordybird123

This works.

This works I think...

		Connection con = WebRenderServlet.getActiveConnection();
   		HttpServletRequest req = con.getRequest();

   		if(null != cookies){
	   		for(int i = 0; i < cookies.length; i++ ){
	   			cookies[i].setSecure(true);
	   		}
   		}