webappsec March 2010 archive
Main Archive Page > Month Archives  > webappsec archives
webappsec: Re: Cookie Secure Attribute - Clarification

Re: Cookie Secure Attribute - Clarification

From: 51l3n73y3s <51l3n7_at_nospam>
Date: Mon Mar 01 2010 - 13:47:56 GMT
To: "arvind doraiswamy" <arvind.doraiswamy@gmail.com>, <webappsec@securityfocus.com>

I would make the attribute as Secure and then also set the requireSSL of the
form to true. In this way the server will discard it if it's over HTTP.

Regards, Sandeep

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy@gmail.com>
Sent: Sunday, February 28, 2010 12:23 PM
To: <webappsec@securityfocus.com>
Subject: Re: Cookie Secure Attribute - Clarification

> @John:
> I believe it is a) , the first time the client (browser) accesses the
> Webserver - a cookie gets set on the Client browser. Though it might
> well be b) as well..I didn't check on any pages after that to see if
> the client sent it back as well. I will check the same. Is there a
> difference though? The Web Server shouldn't be sending it either..rt?
>
> @Sandeep:
> Isn't that a problem? If despite accessing a HTTP link , a 'Secure'
> cookie previously set on a HTTPS link is sent over it? For eg. There
> might be an image or some other static resource which is downloaded
> when a 'secure' page is browsed. For speed reasons this might not be
> HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and
> hence sniffable over the network. The moment a HTTP link is accessed
> all 'Secure' cookies should NOT be sent at all. IMO anyway as of my
> current understanding.
>
> I put in a lot of detail over on the OWASP mailing list where I posted
> this - you might want to take a look at the same there. Here's the
> link:
> https://lists.owasp.org/pipermail/webappsec/2010-February/000829.html
>
> Thnx
> Arvind
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.