[Full-disclosure] Cookies marked as secure
michaelslists at gmail.com
Wed Jul 12 03:54:42 BST 2006
On 7/12/06, Josh L. Perrymon <joshuaperrymon at gmail.com> wrote:
> I'm having a discussion with a buddy about secure cookies. I'm looking
> at a Java application that used several cookies after logging in;
> so on...
> Obviously the application is using some code that performs additional
> sessions on top of the standard sessionID.
> What I'm seeing is that once I login to the app is that the SET
> Cookie: Statement has /Secure marked. However, all the client/server
> traffic afterwards is NOT marked with /Secure.
> I read the RFC and it says something like " HTTP Is stateless,
> therefore all sensitive cookies sent over HTTPS should be marked as
> /SECURE, so they are not passed over HTTP.
> So my questions finally:
> When needed a Cookie to be secure.. should it be marked as /SECURE in
> client requests to the server OR can it be marked secure within the
> physical cookie itself.. on the HD?
well it'd have to be in the cookie itself otherwise you'd basically be
sending the cookie but saying "here, this cookie is secure, please
don't receive it". which doesn't make sense. and defeats the point.
but better still is to use a subdomain for your secure cookie and not
allow http:// access to it. or at the very least encrypt and/or hash
the cookie yourself.
Full-Disclosure is hosted and sponsored by Secunia.