http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

How to add custom headers to request with cljs-http
Which HTTP¨code for browser compatibility?
After deleting a web page it still shows in the search engines, why?
How should I specify HTTP accept header for multipart response?
How to open my website with secure http (https)?
Do browsers really send chunk trailers in their requests?
HTTP/2 over TLS for static landing page. Is it worth it?
Proxy's Response to Asynchronous Close Events
Logging http request/response with separate timings for each in Neo4j server
fiddler composer authenticating a request
Why can't I use hPutStr after printing the result of hGetContents?
Cant cache resource when having both gzip and Etag
SignalR on port 80/443
SOAP for game networking
Installing HTTP /2 webserver
Recommended Set-Cookie Version used by web servers (0, 1, or 2)

Categories

HOME
gulp
marie
salesforce
compression
mediarecorder
yuv
richtextbox
psexec
flowtype
hibernate-mapping
zabbix
doctrine2
coding-style
rename
google-my-business-api
jinja2
responsive
dat.gui
samba
ringcentral
project-reactor
conditional-formatting
turn.js
ejb-3.1
gnu-screen
fastboot
pushbullet
gsuite
ballerinalang
spock
pypy
jmsserializerbundle
blockly
directions
scene7
ilog
restler
cocoa-scripting
campaign-monitor
kofax
rythm
kepserverex
ape-phylo
directadmin
smooth-streaming
bootstrap-carousel
android-doze-and-standby
spring-webflow-2
rivets.js
aws-rds
jtextarea
glade
require-handlebars
radar-chart
innertext
datamodel
markerspiderfier
play-json
lytro
teamwork
stderr
tidesdk
minko
autopep8
bungeecord
indices
shunting-yard
caption
cordova-3
uiblureffect
javadb
qf-test
xts
nest-initiative
nspopupbutton
visual-studio-setup-proje
hotlinking
node-mongodb-native
lastinsertid
angularjs-select2
panelgrid
gwt2
pageload
mmo
phone-state-listener
algol
junit-rule
expresso-store
android-memory
helicontech
method-call
mass-emails
code-golf
j++

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App