http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

Save several .ts files in one container, while preserving direct http access
What is http host header?
User must have CORS enabled how to prevent that.
Decoding strange user agent header
golang: core net/http package import errors
Using http for a different github account
Gradle android.application
In Gunicorn, how can I add Connection: Close to the response once server shutdown has begun?
using requestbody and muiltipartfile in one request
Old Google listing uses HTTPS, new site uses HTTP, what are my options?
HTTP Server Error
BaseRequestOptions angular2 error after import
AWS Lambda: How to access HTTP Request properties
Website not redirecting properly to https when accessing subdirectory from http
How to Use Basic Authentication with IClientChannel Factory
How to specify which Kerberos credential to use for SSPI

Categories

HOME
logging
stata
intellij-idea
openacc
cxf
opencv4android
watson-iot
x509certificate
azure-resource-manager
assign
ubuntu-14.04
thermal-printer
browser-cache
liquidsoap
browserstack
samsung-gear-s2
chef-recipe
saucelabs
ringcentral
project-structure
caldav
custom-component
serenity-js
connectiq
multipart
klipfolio
javaagents
infinite-loop
android-wear-2.0
ckeditor4.x
core-animation
checkmarx
azure-table-storage
csproj
osgi-bundle
ds-5
overflow
blockly
offset
n1ql
powerbi-embedded
minitest
android-geofence
javafxports
extern
console.readline
mapquest
pygraphviz
stdin
ssdp
bzip2
web-technologies
cakephp-3.2
infovis
denodo
pyopenssl
evaluation
skype-bots
enet
typewriter
selection-sort
apache-commons-cli
group
google-scholar
access-violation
rowname
qtruby
boost-bind
user-profile
pebble-js
radar-chart
android-progressbar
firefox-os
fadein
fileinputstream
mergecursor
minko
backtrace
indices
drools-guvnor
aiff
grunt-contrib-connect
qf-test
api-eveonline
serializer
telerik-appbuilder
webshim
opencobol
internet-radio
node-amqp
google-voice
ojb
android-library
google-checkout
select2-rails
exi
screensharing
inflate
jquery-ui-map
nude.js
scsf
pex-and-moles
digg
peoplepicker
windows-xp-embedded
moss2007-security
html5-animation
hp-trim
rpxnow
authkit

Resources

Encrypt Message