SecurityWrapperResponse Forcefully Adds Secure Flag Breaking Non-SSL Sites

[GoogleCodeExporter]

I was planning on recommending some ESAPI integration strategies to a
client and came across what appears to be a bug in the
SecurityWrapperResponse object. Looking at the “createCookieHeaer” method,
it forcefully adds the “Secure” flag without even checking the
configuration and or the “secure” boolean argument supplied to the method.
Won’t this break applications that are not running over SSL? This method is
called by addCookie when there are no errors or if the mode is sanitize. Is
there a way to optionally enable the Secure flag in this object that I am
missing?

Original issue reported on code.google.com by eshe...@gmail.com on 7 Jun 2010 at 1:26

• Merged into: #155

[GoogleCodeExporter]

This has been fixed in ESAPI RC10. Issue #155. 

Original comment by augu...@gmail.com on 19 Oct 2010 at 12:58

• Changed state: Duplicate