Penetration Testing mailing list archives
HTTP Secure Cookie Directive setting
From: kapil assudani <kapil.assudani () yahoo com>
Date: Fri, 6 Apr 2007 08:33:09 -0700 (PDT)
Hi , I'd like to know configuration of HTTP Secure Flag setting in the following scenario: IIS Web Server<-----http(80)--------->Alteon Switch SSL Accelerator/Offloader<------ssl(443)----------->Client So here in this case a client browser is actually negotiating SSL with the SSL accelerator box which is obviously put in place for imporving performance and offload ssl handhsake/processing off of the web server. So all the traffic from SSL Accelarator/Offloader to the web server is not encrypted and http. And all the SSL communication is between the client and the switch and gets terminated there. The client has set all configurations on the IIS Webserver for setting ASPSESSION cookies with Secure directive as directed on MSDN and since the SSL is terminating at the alteon switch accelerator, the cookie eventually is not set "Secure" . I was wondering if anybody knows of a work around for this in order to enable the Secure Directive in this scenario from the server side? Thanks SecN3rd ____________________________________________________________________________________ Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- HTTP Secure Cookie Directive setting kapil assudani (Apr 06)