Full Disclosure mailing list archives
Re: Cookies marked as secure
From: mikeiscool <michaelslists () gmail com>
Date: Wed, 12 Jul 2006 12:54:42 +1000
On 7/12/06, Josh L. Perrymon <joshuaperrymon () gmail com> wrote:
Ok, I'm having a discussion with a buddy about secure cookies. I'm looking at a Java application that used several cookies after logging in; SessionID CookieIDtype FailMSGID so on... Obviously the application is using some code that performs additional sessions on top of the standard sessionID. What I'm seeing is that once I login to the app is that the SET Cookie: Statement has /Secure marked. However, all the client/server traffic afterwards is NOT marked with /Secure. I read the RFC and it says something like " HTTP Is stateless, therefore all sensitive cookies sent over HTTPS should be marked as /SECURE, so they are not passed over HTTP. So my questions finally: When needed a Cookie to be secure.. should it be marked as /SECURE in client requests to the server OR can it be marked secure within the physical cookie itself.. on the HD?
well it'd have to be in the cookie itself otherwise you'd basically be sending the cookie but saying "here, this cookie is secure, please don't receive it". which doesn't make sense. and defeats the point. but better still is to use a subdomain for your secure cookie and not allow http:// access to it. or at the very least encrypt and/or hash the cookie yourself. -- mic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cookies marked as secure Josh L. Perrymon (Jul 11)
- Re: Cookies marked as secure mikeiscool (Jul 11)