WebApp Sec mailing list archives
Re: Cookie Secure Attribute - Clarification
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Sun, 28 Feb 2010 12:23:45 +0530
@John: I believe it is a) , the first time the client (browser) accesses the Webserver - a cookie gets set on the Client browser. Though it might well be b) as well..I didn't check on any pages after that to see if the client sent it back as well. I will check the same. Is there a difference though? The Web Server shouldn't be sending it either..rt? @Sandeep: Isn't that a problem? If despite accessing a HTTP link , a 'Secure' cookie previously set on a HTTPS link is sent over it? For eg. There might be an image or some other static resource which is downloaded when a 'secure' page is browsed. For speed reasons this might not be HTTPS but HTTP. The 'Secure' cookie will also be sent in this case and hence sniffable over the network. The moment a HTTP link is accessed all 'Secure' cookies should NOT be sent at all. IMO anyway as of my current understanding. I put in a lot of detail over on the OWASP mailing list where I posted this - you might want to take a look at the same there. Here's the link: https://lists.owasp.org/pipermail/webappsec/2010-February/000829.html Thnx Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Re: [Webappsec] Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 27)
- Message not available
- Message not available
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)
- Re: Cookie Secure Attribute - Clarification arvind doraiswamy (Feb 28)
- Re: Cookie Secure Attribute - Clarification 51l3n73y3s (Mar 01)
- Cookie Secure Attribute - Clarification John Wilander (Feb 27)