Is secure cookie really secure?
According document at [url]http://e-docs.bea.com/wls/docs81/security/thin_client.html[/url]
secure cookie _wl_authcookie_ turns on when https starts.
I have some quick questions regarding how it really works:
Q1. this secure cookie will definitely prevent session stealing in-transit (due to https).
However, will it prevent session hijaking using cross-site-scripting? ie., _wl_authcookie
can also still be obtained in clear-text by attacker even using https, and attacker use
to hijack session?
Will it prevent session fixation as described in
Q2. Is _wl_authcookie_ is tied up with SSL session ID,
if yes, the answer to Q1 should be yes, right?
Q3. should _wl_authcookie_ value be a constant as long as https starts?
However, I observe _wl_authcookie_ changes per request for one web app. It provides extra protection at cost of performance. Is this a configurable feature?