WebApp Sec mailing list archives
Using SSL cookies
From: Rogan Dawes <lists () dawes za net>
Date: Wed, 28 Jul 2004 13:37:37 +0200
Stan Guzik wrote:
Once you enter the site they set their cookie without SSL. his is not a good practice because it leaves the cookie (maybe session management) open to a sniffing attack.
Good point. I'm surprised that more sites do not use the "secure" flag to instruct the browser to only send the secure sessionid over an SSL connection. That way, one would have two independent but related sessionids, one that is used for "tracking" and personalisation, and another that is used for transactions. The "transaction" sessionid would never be sent in clear (but should definitely NOT be resent to the browser if it presents a "tracking" sessionid with no "transaction" sessionid) This actually leads to another point. Doesn't it make sense to only issue the cookie at the time of authentication? As opposed to setting an "authenticated" flag in the session? That way, the attacker cannot sample sessionids, and there is reduced exposure. Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Using SSL cookies Rogan Dawes (Jul 28)