Using SSL cookies

[Rogan Dawes <lists () dawes za net>]

Stan Guzik wrote:


> Once you enter the site they set their cookie without SSL.  his is 
> not a good practice because it leaves the cookie (maybe session 
> management) open to a sniffing attack.


Good point. I'm surprised that more sites do not use the "secure" flag to
instruct the browser to only send the secure sessionid over an SSL
connection.

That way, one would have two independent but related sessionids, one that is
used for "tracking" and personalisation, and another that is used for
transactions. The "transaction" sessionid would never be sent in clear (but
should definitely NOT be resent to the browser if it presents a "tracking"
sessionid with no "transaction" sessionid)

This actually leads to another point.

Doesn't it make sense to only issue the cookie at the time of
authentication? As opposed to setting an "authenticated" flag in the
session?

That way, the attacker cannot sample sessionids, and there is reduced
exposure.

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"