WebApp Sec mailing list archives
Re: Cookie Secure Attribute - Clarification
From: "51l3n73y3s" <51l3n7 () live in>
Date: Mon, 1 Mar 2010 19:17:56 +0530
I would make the attribute as Secure and then also set the requireSSL of the form to true. In this way the server will discard it if it's over HTTP.
Regards, Sandeep -------------------------------------------------- From: "arvind doraiswamy" <arvind.doraiswamy () gmail com> Sent: Sunday, February 28, 2010 12:23 PM To: <webappsec () securityfocus com> Subject: Re: Cookie Secure Attribute - Clarification
@John: I believe it is a) , the first time the client (browser) accesses the Webserver - a cookie gets set on the Client browser. Though it might well be b) as well..I didn't check on any pages after that to see if the client sent it back as well. I will check the same. Is there a difference though? The Web Server shouldn't be sending it either..rt? @Sandeep: Isn't that a problem? If despite accessing a HTTP link , a 'Secure' cookie previously set on a HTTPS link is sent over it? For eg. There might be an image or some other static resource which is downloaded when a 'secure' page is browsed. For speed reasons this might not be HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and hence sniffable over the network. The moment a HTTP link is accessed all 'Secure' cookies should NOT be sent at all. IMO anyway as of my current understanding. I put in a lot of detail over on the OWASP mailing list where I posted this - you might want to take a look at the same there. Here's thelink: https://lists.owasp.org/pipermail/webappsec/2010-February/000829.htmlThnx Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Re: [Webappsec] Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Message not available
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)
- Re: Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 28)
- Re: Cookie Secure Attribute - Clarification 51l3n73y3s (Mar 01)
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)