WebApp Sec mailing list archives

Re: Cookie Secure Attribute - Clarification

From: "51l3n73y3s" <51l3n7 () live in>
Date: Sat, 27 Feb 2010 18:11:34 +0530

It will be in plain-text if both HTTP and HTTPS are enabled for theapplication. If only HTTP, not sent. If only HTTPS, sent encrypted.


Regards, Sandeep

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Sent: Friday, February 26, 2010 6:48 PM
To: <webappsec () securityfocus com>; <webappsec () lists owasp org>
Subject: Cookie Secure Attribute - Clarification

Hey Guys,
A little bit of clarification needed about the 'Secure' attribute to
be set in a Cookie. I'm looking at Section 4.3.1 in the
RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute.
What I understand is - If I programatically set the Cookie attribute
of say a Session ID to Secure - it shouldn't be sent over an insecure
channel. Meaning if I have a web server which has HTTP and HTTPS
enabled, the Secure cookie should NOT be sent if I access the website
over HTTP. However for some stupid reason which I cannot understand -
it does get sent even over a HTTP channel. First I though it was coz I
was accessing the site over localhost , and Secure pertained only to
stuff on the Network. But its the same behavior over the n/w as well -
anyone accessing my server over HTTP over the n/w..a cookie gets set
with the Secure attribute and sent in clear text over the n/w.

Surely something in my implementation or understanding is incorrect.
What am I missing?

Thnx
Arvind



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!http://www.cenzic.com/2009HClaunch_Securityfocus

--------------------------------------

Current thread:

Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
  - Re: [Webappsec] Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
  - Cookie Secure Attribute - Clarification John Wilander (Feb 27)
    - Re: Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 28)
    - Re: Cookie Secure Attribute - Clarification 51l3n73y3s (Mar 01)
- Re: Cookie Secure Attribute - Clarification 51l3n73y3s (Feb 27)