WebApp Sec mailing list archives
Cookie Secure Attribute - Clarification
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Fri, 26 Feb 2010 18:48:21 +0530
Hey Guys, A little bit of clarification needed about the 'Secure' attribute to be set in a Cookie. I'm looking at Section 4.3.1 in the RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute. What I understand is - If I programatically set the Cookie attribute of say a Session ID to Secure - it shouldn't be sent over an insecure channel. Meaning if I have a web server which has HTTP and HTTPS enabled, the Secure cookie should NOT be sent if I access the website over HTTP. However for some stupid reason which I cannot understand - it does get sent even over a HTTP channel. First I though it was coz I was accessing the site over localhost , and Secure pertained only to stuff on the Network. But its the same behavior over the n/w as well - anyone accessing my server over HTTP over the n/w..a cookie gets set with the Secure attribute and sent in clear text over the n/w. Surely something in my implementation or understanding is incorrect. What am I missing? Thnx Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Re: [Webappsec] Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Message not available
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)
- Re: Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 28)
- Re: Cookie Secure Attribute - Clarification 51l3n73y3s (Mar 01)
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)