Re: Growing Bad Practice with Login Forms

[Ivan Ristic <ivanr () webkreator com>]

Jason Coombs PivX Solutions wrote:
> Ivan Ristic wrote:
>
> >   * Session cookies transmitted over an unencrypted channel
> >     should not be allowed over SSL. The same the other way
> >     round.
>
>
> Browsers already differentiate between SSL cookies and non-SSL
> cookies.

  They do but the default behavior in most (all?) cases is for
  cookies not to be secure. Developers must explicitly set
  the secure flag for browsers to know not to send cookies
  back over a non-SSL connection.

  I have tested the PHP session handling mechanism: a session is
  established over a non-SSL connection, and reused over SSL.
  How many developers will know how to secure the configuration?

  And even when a cookie is marked secure, PHP will happily
  send it over a non-SSL connection. Worse, a browser might
  (IE & Mozilla will, in my tests), send the cookie to the same
  domain later if SSL is encountered.

  The point I am trying to make is that cookies should be
  marked as secure or non-secure (by the browser) based on their
  origin. It is simple as that. Cookies sent over a non-SSL
  channel are not secure. A mechanism could exist to allow those
  who want to reuse cookies to do so.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]