Sensitive authentication cookie sent using HTTP
Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated. The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure). It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265: The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is: Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly However, please note Secure attribute only protect cookie's confidentiality, not integrity: Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.
upload image with data to server Titanium
Is this a well formed multipart/form-data request?
Remote Sender and Consumer JMS using HTTP in Wildfly 8.2
In go, how to inspect the http response that is written to http.ResponseWriter?
unable to access web site [closed]
How to handle multiple ssl server with nginx
set default http header request to empty in tcl http
How to remove a cookie in Go
In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?
How to Configure Customize Http,NHttp transports access_logs in wso2esb
What is the best HTTP status code to use when the requested language is unavailable?
Returning http 200 OK with error within response body
http tls server (golang) not working with curl
Why do I need to use http.StripPrefix to access my static files?
Is :secure_url necessary in opengraph meta tag if all site resources behind https?
Posting from one ActionResult to another