WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: Ivan Ristic <ivanr () webkreator com>
Date: Wed, 28 Jul 2004 11:19:43 +0100
Jason Coombs PivX Solutions wrote:
Ivan Ristic wrote:* Session cookies transmitted over an unencrypted channel should not be allowed over SSL. The same the other way round.Browsers already differentiate between SSL cookies and non-SSL cookies.
They do but the default behavior in most (all?) cases is for cookies not to be secure. Developers must explicitly set the secure flag for browsers to know not to send cookies back over a non-SSL connection. I have tested the PHP session handling mechanism: a session is established over a non-SSL connection, and reused over SSL. How many developers will know how to secure the configuration? And even when a cookie is marked secure, PHP will happily send it over a non-SSL connection. Worse, a browser might (IE & Mozilla will, in my tests), send the cookie to the same domain later if SSL is encountered. The point I am trying to make is that cookies should be marked as secure or non-secure (by the browser) based on their origin. It is simple as that. Cookies sent over a non-SSL channel are not secure. A mechanism could exist to allow those who want to reuse cookies to do so. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
Current thread:
- Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)
- successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login dave kleiman (Jul 27)