Cookies set with the &quot;Secure&quot; keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if &quot;secure&quot; is absent, the cookie may be sent over an insecure connection.

In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.

* **HTTP**: Cookie **with &quot;Secure&quot;** will be returned only on **HTTPS** connections (pointless to do, see note below)
* **HTTPS**: Cookie **with &quot;Secure&quot;** will be returned only on **HTTPS** connections
* **HTTP**: Cookie **without &quot;Secure&quot;** will be returned on **HTTP** or **HTTPS** connections
* **HTTPS**: Cookie **without &quot;Secure&quot;** will be returned on **HTTP** or **HTTPS** connections (could leak secure information)

______________________

Reference: [RFC 2109](http://www.w3.org/Protocols/rfc2109/rfc2109)
See 4.2.2 (page 4), 4.3.1

*Note*: It is no longer possible to set &quot;secure&quot; cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the [Strict Secure Cookies specification](https://www.chromestatus.com/feature/4506322921848832).

Is there a Linux equivalent of `__declspec(dllexport)` notation for explicitly exporting a function from a shared library? For some reason with the toolchain I&#39;m using, functions that aren&#39;t class members don&#39;t appear in the resulting shared library file.

Explicitly exporting shared library functions in Linux

I&#39;m trying to find a way to implement both a custom `QuerySet` and a custom `Manager` without breaking DRY.  This is what I have so far:

    class MyInquiryManager(models.Manager):
        def for_user(self, user):
            return self.get_query_set().filter(
                        Q(assigned_to_user=user) |
                        Q(assigned_to_group__in=user.groups.all())
                    )
    
    class Inquiry(models.Model):   
        ts = models.DateTimeField(auto_now_add=True)
        status = models.ForeignKey(InquiryStatus)
        assigned_to_user = models.ForeignKey(User, blank=True, null=True)
        assigned_to_group = models.ForeignKey(Group, blank=True, null=True)
        objects = MyInquiryManager()

This works fine, until I do something like this:

    inquiries = Inquiry.objects.filter(status=some_status)
    my_inquiry_count = inquiries.for_user(request.user).count()

This promptly breaks everything because the `QuerySet` doesn&#39;t have the same methods as the `Manager`.  I&#39;ve tried creating a custom `QuerySet` class, and implementing it in `MyInquiryManager`, but I end up replicating all of my method definitions.

I also found [this snippet][1] which works, but I need to pass in the extra argument to `for_user` so it breaks down because it relies heavily on redefining `get_query_set`.

Is there a way to do this without redefining all of my methods in both the `QuerySet` and the `Manager` subclasses?


  [1]: http://adam.gomaa.us/blog/2009/feb/16/subclassing-django-querysets/

Custom QuerySet and Manager without breaking DRY?

Can cookies set using HTTP be read using HTTPS?

Reading cookies via HTTPS that were set using HTTP

<p>Can cookies set using HTTP be read using HTTPS?</p>


After reading a lot about the differences between REST and SOAP, I got the impression that REST is just another word for HTTP. Can someone explain what functionality REST adds to HTTP?

&lt;b&gt;Note&lt;/b&gt;: I&#39;m not looking for a comparison of REST versus SOAP.


What is the difference between HTTP and REST?

I have the feeling that I&#39;m missing the obvious, but have not succeeded with `man [curl|wget]` or google (&quot;http&quot; makes such a bad search term). I&#39;m looking for a quick&amp;dirty fix to one of our webservers that frequently fails, returning status code 500 with an error message. Once this happens, it needs to be restarted.

As the root cause seems to be hard to find, we&#39;re aiming for a quick fix, hoping that it will be enough to bridge the time until we can really fix it (the service doesn&#39;t need high availability)

The proposed solution is to create a cron job that runs every 5 minutes, checking http://localhost:8080/. If this returns with status code 500, the webserver will be restarted. The server will restart in under a minute, so there&#39;s no need to check for restarts already running.

The server in question is a ubuntu 8.04 minimal installation with just enough packages installed to run what it currently needs. There is no hard requirement to do the task in bash, but I&#39;d like it to run in such a minimal environment without installing any more interpreters. 

(I&#39;m sufficiently familiar with scripting that the command/options to assign the http status code to an environment variable would be enough - this is what I&#39;ve looked for and could not find.)

How to evaluate http response codes from bash/shell script?

I have an `HttpServletRequest` object.

How do I get the complete and exact URL that caused this call to arrive at my servlet?

Or at least as accurately as possible, as there are perhaps things that can be regenerated (the order of the parameters, perhaps).

HttpServletRequest to complete URL

Session variables and cookies seem very similar to me. I understand the technical differences, but how do you decide when to use one vs. the other?

When should I use session variables instead of cookies?

I am looking for a modern C++ HTTP library because libcurl&#39;s shortcomings are difficult to work around by C++ wrappers. Solutions based on Boost.ASIO, which has become the de-facto C++ TCP library, are preferred.


Boost.ASIO-based HTTP client library (like libcurl)

I&#39;m wondering if I can delete all my website&#39;s cookies when a user click on logout, because I used this as function to delete cookies but it isn&#39;t work properly:

    setcookie(&quot;user&quot;,false);

Is there a way to delete one domain&#39;s cookies in PHP?


how to delete all cookies of my website in php

Anyone have any &quot;best practices&quot; tips for Rails and sessions? The default session type for Rails 3 is still CookieStore, right? I used SqlSessionStore for a while and it worked well, but I may move away from that in favor of CookieStore. 

Is it still not a good idea to use CookieStore for sensitive info, even with salted info or is that better stored in the DB?

Rails sessions current practices

I noticed that when a link is clicked externally from the web browser, such as from Excel or Word, that my session cookie is initially unrecognized, even if the link opens up in a new tab of the same browser window.

The browser ends up recognizing its cookie eventually, but I am puzzled as to why that initial link from Excel or Word doesn&#39;t work. To make it even more challenging, clicking a link works fine from Outlook.

Does anybody know why this might be happening? I&#39;m using the Zend Framework with PHP 5.3.

Why are cookies unrecognized when a link is clicked from an external source (i.e. Excel, Word, etc...)

I&#39;m building an extranet for a company paranoid about security. They want to make sure that (among other things) their users are browsing the site with the Private Browsing mode switched on in their web browser so that no cookies or history is kept.

I found only this
http://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.html
and
https://serverfault.com/questions/18966/force-safari-to-operate-in-private-mode-and-detect-that-state-from-a-webserver

The ideal solution would use no or minimal javascript. Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

thanks!

----
update 

http://crypto.stanford.edu/~collinj/research/incognito/ uses the CSS visited technique of the browser fingerprinters mentioned by other posters- thanks for the hints.

I like it because it is small and elegant, but still want to be able to do it without javascript if possible.  

Detecting if a browser is using Private Browsing mode

I have to build a small webapp for a company to maintain their business data...  Only those within the company will be using it, but we are planning to host it in public domain, so that the employees can connect to app from various locations. (Till now I have built web apps that are hosted internally only)

I&#39;m wondering whether I need to use a secured connection (https) or just the forms authentication is enough.

If you say https, I have some questions :

1.  What should I do to prepare my website for https.  (Do I need to alter the code / Config)
2.  Is SSL and https one and the same...
3.  Do I need to apply with someone to get some license or something.
4.  Do I need to make all my pages secured or only the login page...

I was searching Internet for answer, but I was not able to get all these points... Any whitepaper or other references would also be helpful...

Feel free to ask incase you need more information.

Thanks

- Raja




How to make a website secured with https

I need to set up a really lightweight HTTPS server for a Java application. It&#39;s a simulator that&#39;s being used in our development labs to simulate the HTTPS connections accepted by a piece of equipment in the wild. Because it&#39;s purely a lightweight development tool and isn&#39;t used in production in any way at all, I&#39;m quite happy to bypass certifications and as much negotiation as I can.

I&#39;m planning on using the `HttpsServer` class in Java 6 SE but I&#39;m struggling to get it working. As a test client, I&#39;m using `wget` from the cygwin command line (`wget https://[address]:[port]`) but `wget` reports that it was &quot;Unable to establish SSL connection&quot;.

If I run `wget` with the `-d` option for debugging it tells me &quot;SSL handshake failed&quot;.

I&#39;ve spent 30 minutes googling this and everything seems to just point back to the fairly useless Java 6 documentation that describes the methods but doesn&#39;t actually talk about how to get the darn thing talking or provide any example code at all.

Can anyone nudge me in the right direction?


Simple Java HTTPS server

I am trying to make a WCF service over basicHttpBinding to be used over https. Here&#39;s my web.config:

    &lt;!-- language: xml --&gt;
    &lt;service behaviorConfiguration=&quot;MyServices.PingResultServiceBehavior&quot;
             name=&quot;MyServices.PingResultService&quot;&gt;
        &lt;endpoint address=&quot;&quot; 
                  binding=&quot;basicHttpBinding&quot; 
                  bindingConfiguration=&quot;defaultBasicHttpBinding&quot;
                  contract=&quot;MyServices.IPingResultService&quot;&gt;
            &lt;identity&gt;
                &lt;dns value=&quot;localhost&quot; /&gt;
            &lt;/identity&gt;
        &lt;/endpoint&gt;
        &lt;endpoint address=&quot;mex&quot; 
                  binding=&quot;mexHttpBinding&quot; 
                  contract=&quot;IMetadataExchange&quot; /&gt;
    &lt;/service&gt;
    ...

&lt;!-- language: xml --&gt;

    &lt;bindings&gt;
      &lt;basicHttpBinding&gt;
        &lt;binding name=&quot;defaultBasicHttpBinding&quot;&gt;
          &lt;security mode=&quot;Transport&quot;&gt;
            &lt;transport clientCredentialType=&quot;None&quot;/&gt;
          &lt;/security&gt;
        &lt;/binding&gt;
      &lt;/basicHttpBinding&gt;
    &lt;/bindings&gt;
    ...
    &lt;behaviors&gt;
      &lt;serviceBehaviors&gt;
        &lt;behavior name=&quot;MyServices.UpdateServiceBehavior&quot;&gt;
          &lt;serviceMetadata httpsGetEnabled=&quot;true&quot; /&gt;
          &lt;serviceDebug includeExceptionDetailInFaults=&quot;true&quot; /&gt;
        &lt;/behavior&gt;
      &lt;/serviceBehaviors&gt;
    &lt;/behaviors&gt;


I am connecting using WCFStorm which is able to retrieve all the meta data properly, but when I call the actual method I get:

&gt; The provided URI scheme &#39;https&#39; is invalid; expected &#39;http&#39;. Parameter
&gt; name: via

The provided URI scheme &#39;https&#39; is invalid; expected &#39;http&#39;. Parameter name: via

Do querystring parameters get encrypted in HTTPS when sent with a request?

Are querystring parameters secure in HTTPS (HTTP + SSL)? 

Recently posted a question regarding the `HttpClient` over Https ([found here][1]).  I&#39;ve made some headway, but I&#39;ve run into new issues. As with my last problem, I can&#39;t seem to find an example anywhere that works for me. Basically, I want my client to accept any certificate (because I&#39;m only ever pointing to one server) but I keep getting a `javax.net.ssl.SSLException: Not trusted server certificate exception.`

So this is what I have:

```java
    
    public void connect() throws A_WHOLE_BUNCH_OF_EXCEPTIONS {

        HttpPost post = new HttpPost(new URI(PROD_URL));
    	post.setEntity(new StringEntity(BODY));
 
    	KeyStore trusted = KeyStore.getInstance(&quot;BKS&quot;);
    	trusted.load(null, &quot;&quot;.toCharArray());
    	SSLSocketFactory sslf = new SSLSocketFactory(trusted);
        sslf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
	
    	SchemeRegistry schemeRegistry = new SchemeRegistry();
    	schemeRegistry.register(new Scheme (&quot;https&quot;, sslf, 443));
    	SingleClientConnManager cm = new SingleClientConnManager(post.getParams(),
                schemeRegistry);
		
    	HttpClient client = new DefaultHttpClient(cm, post.getParams());
    	HttpResponse result = client.execute(post);
    }
```

And here&#39;s the error I&#39;m getting:

```bash
    W/System.err(  901): javax.net.ssl.SSLException: Not trusted server certificate 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:360) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:92) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321) 
    W/System.err(  901): 	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:129) 
    W/System.err(  901): 	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164) 
    W/System.err(  901): 	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119) 
    W/System.err(  901): 	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.connect(MainActivity.java:129) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.access$0(MainActivity.java:77) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity$2.run(MainActivity.java:49) 
    W/System.err(  901): Caused by: java.security.cert.CertificateException: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:157) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:355) 
    W/System.err(  901): 	... 12 more 
    W/System.err(  901): Caused by: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty 
    W/System.err(  901): 	at java.security.cert.PKIXParameters.checkTrustAnchors(PKIXParameters.java:645) 
    W/System.err(  901): 	at java.security.cert.PKIXParameters.&lt;init&gt;(PKIXParameters.java:89) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.&lt;init&gt;(TrustManagerImpl.java:89) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:134) 
    W/System.err(  901): 	at javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:226)W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.createTrustManagers(SSLSocketFactory.java:263) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.&lt;init&gt;(SSLSocketFactory.java:190) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.&lt;init&gt;(SSLSocketFactory.java:216) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.connect(MainActivity.java:107) 
    W/System.err(  901): 	... 2 more
```


  [1]: https://stackoverflow.com/questions/2603691/android-httpclient-and-https

Content Type	Original Author	Original Content on Stackoverflow
Question	Daniel Schaffer	View Question on Stackoverflow
Solution 1 - Http	richq	View Answer on Stackoverflow

Reading cookies via HTTPS that were set using HTTP

Http Problem Overview

Http Solutions

Solution 1 - Http

Custom QuerySet and Manager without breaking DRY?

Explicitly exporting shared library functions in Linux

Attributions