Re: Cookie Secure Attribute - Clarification

[arvind doraiswamy <arvind.doraiswamy () gmail com>]

@John:
I believe it is a) , the first time the client (browser) accesses the
Webserver - a cookie gets set on the Client browser. Though it might
well be b) as well..I didn't check on any pages after that to see if
the client sent it back as well. I will check the same. Is there a
difference though? The Web Server shouldn't be sending it either..rt?

@Sandeep:
Isn't that a problem? If despite accessing a HTTP link , a 'Secure'
cookie previously set on a HTTPS link is sent over it? For eg. There
might be an image or some other static resource which is downloaded
when a 'secure' page is browsed. For speed reasons this might not be
HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and
hence sniffable over the network. The moment a HTTP link is accessed
all 'Secure' cookies should NOT be sent at all. IMO anyway as of my
current understanding.

I put in a lot of detail over on the OWASP mailing list where I posted
this - you might want to take a look at the same there. Here's the
link: https://lists.owasp.org/pipermail/webappsec/2010-February/000829.html

Thnx
Arvind



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------