http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

upload image with data to server Titanium
Is this a well formed multipart/form-data request?
Remote Sender and Consumer JMS using HTTP in Wildfly 8.2
In go, how to inspect the http response that is written to http.ResponseWriter?
unable to access web site [closed]
How to handle multiple ssl server with nginx
set default http header request to empty in tcl http
How to remove a cookie in Go
In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?
How to Configure Customize Http,NHttp transports access_logs in wso2esb
What is the best HTTP status code to use when the requested language is unavailable?
Returning http 200 OK with error within response body
http tls server (golang) not working with curl
Why do I need to use http.StripPrefix to access my static files?
Is :secure_url necessary in opengraph meta tag if all site resources behind https?
Posting from one ActionResult to another

Categories

HOME
oauth-2.0
javafx
leaflet
cxf
x86-64
perl6
sequence
rethinkdb
ephesoft
angularjs-ng-repeat
phpexcel
dcos
normals
google-my-business-api
saucelabs
tag-cloud
samba
ibatis
google-street-view
gpo
datasource
datazen-server
fastboot
matlab-gui
procedural-generation
prepros
resx
setup-project
custom-fields
federated
jboss-arquillian
ng2-bootstrap
directions
ports
epub
android-scrollview
traitsui
http-proxy
maven-2
hippocms
form-fields
stdin
icu
wicket-tester
peerjs
head
servicebus
togglebutton
infovis
hierarchical-clustering
dna-sequence
dotnet-cli
gige-sdk
bipartite
codesniffer
copy-constructor
mongodb-3.3
change-password
airwatch
android-xmlpullparser
treelist
jcalendar
imageicon
sdkman
biginsights
windows-phone-8-emulator
om
uinavigationitem
syncano
joomla3.3
eula
system.diagnostics
jsonschema2pojo
os.walk
serializer
msdropdown
behance-api
telerik-appbuilder
cs193p
reactjs-native
elixir-framework
dayofweek
infor-eam
carrier
xcode5.1
grunt-contrib-imagemin
raddatepicker
backbone-views
removeall
select2-rails
blotter
database-restore
jquery-ui-map
diazo
wxperl
mysql-connector
jmesa
recess
netduino
cpack
fxcopcmd
azure-appfabric
numerical-computing
hotfix
memory-consumption

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App