Sensitive authentication cookie sent using HTTP
Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated. The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure). It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265: The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is: Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly However, please note Secure attribute only protect cookie's confidentiality, not integrity: Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.
A program/script that returns all the resources called by the URL
how to send a multi-part POST with curl without knowing total size of input
Every HTML/JSP page only has these weird characters
Nginx: redirect custom domain http requests to https
Why is do_GET much faster than do_POST
Force HTTP1.1 instead of HTTP2 through Proxy (Charles)
How to verify a mobile app client has established a keep-alive https connection with Azure web service
Angular2 RC6 Custom RequestOption Behaviour When CORS Post Request
I can't update my vm array from htpp response
Should HTTP proxy copy Content-Encoding header back to client?
.then handler being invoked out of order
Limit of Image URL's length in Internet Explorer
Angular2 http get request with Observables and dynamic url params. How to?
Extra space in HTTP headers gives 400 error on HAProxy
Change ip address java?
which HTTP traffic monitoring tool can replace Fiddler