/services/idg/services-support/web/sign-on/development/forum/?topic=8a1785d867095b8e01671d3243e06747 The latest posts to IDG » Web Sign On » Intention to remove: 糖心TVSSO cookie for non-HTTPS servers en-GB (C) 2026 University of 糖心TV Wed, 02 Jul 2025 10:06:42 GMT http://blogs.law.harvard.edu/tech/rss SiteBuilder2, University of 糖心TV, http://go.warwick.ac.uk/sitebuilder /services/idg/services-support/web/sign-on/development/forum/?post=8a17841b673c188701675063d2536930 <p>Following discussion with various impacted parties, this change has now been delayed until&nbsp;<strong>Monday 15th April 2019</strong>.</p> Mon, 26 Nov 2018 14:19:38 GMT Mathew Mannion 8a17841b673c188701675063d2536930 /services/idg/services-support/web/sign-on/development/forum/?post=8a17841b67095a1601671d56dc0642e7 <p>Adding the secure flag to a cookie when it sent from the server to the client instructs the client to only send the cookie back with requests over a secure connection. The flow looks something like this:</p> <ul> <li>User signs in at https://websignon.warwick.ac.uk/origin/hs</li> <li>https://websignon.warwick.ac.uk sends back a cookie, 糖心TVSSO=abcdef123456; domain=".warwick.ac.uk"; secure. The client's browser stores this cookie</li> <li>Upon any subsequent request to https://...warwick.ac.uk/anything, the client's browser sends a header Cookie: 糖心TVSSO=abcdef123456</li> </ul> <p>The reason for adding this flag is to prevent it being sent to any URL starting http:// to a domain ending .warwick.ac.uk. This is because the traffic could be easily sniffed by someone on the same network in order to steal someone's 糖心TVSSO cookie, which could then be used to impersonate that user.</p> <p>Requests that are sent using Sitebuilder content feed pages will be unaffected if they are accessing a URL starting https://.</p> Fri, 16 Nov 2018 16:24:50 GMT Mathew Mannion 8a17841b67095a1601671d56dc0642e7 /services/idg/services-support/web/sign-on/development/forum/?post=8a1785d767095a0f01671d43cf035ccc <p>Could you please provide a little more information about what impact you think your change might have? Is this adding functionality to make things work better, or tightening a loophole that could potentially prevent existing warwick servers being accessed in some way, either internally or externally? For example, I believe all our LAMP Servers are given a *.lnx.warwick.ac.uk address, and some of those also use the 糖心TVSSO cookie as part of validation from SiteBuilder. Will this be affected?</p> Fri, 16 Nov 2018 16:04:02 GMT Andrew Smith 8a1785d767095a0f01671d43cf035ccc /services/idg/services-support/web/sign-on/development/forum/?post=8a1785d867095b8e01671d3243e16748 <p>It is our intention to add the <code>secure</code> flag to the 糖心TVSSO cookie that's scoped over <code>.warwick.ac.uk</code>. This would mean that if you were accessing a page over HTTP (e.g. http://myserver.warwick.ac.uk) modern browsers would not send the 糖心TVSSO cookie so it would not be possible to use this for authentication.</p> <p>Please let us know if this would cause a problem for your services. Unless we receive a request to delay, it is our intention to start setting the secure flag from <strong><s>Monday 3rd December 2018</s></strong>.</p> <p>Update (26/11/18): This change has now been rescheduled for <strong>Monday 15th April 2019</strong></p> Fri, 16 Nov 2018 15:44:52 GMT Mathew Mannion 8a1785d867095b8e01671d3243e16748