http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

HTTP Digest Authentication Fails With URL Parameters (CakePHP)
Need only to change links from https to http to access files with no SSL?
Will methods like POST and GET formally evolve someday?
What HTTP headers are required to refresh a page on back button
Automating a form post in Firefox
HTTP server that handles requests through IO devices?
Reading large Binary files fails in Rebol
How do you cache a file client-side such that the browser stops even bothering to request it again?
How to build Firefox extention to intercept HTTP requests and responses?
A simple GET with Grails
HTTP caching confusion
Live HTTP for CURL
HTTP file upload: Can I rely on the browser always sending a file name?
Should I Return “500” or “404” if a Requested Image is not Found?
How do I connect to the internet in blackberrires app without paying BIS?
What is the limit on QueryString / GET / URL parameters

Categories

HOME
oauth-2.0
max
jenkins-pipeline
display
casting
aix
bigtable
x509certificate
sugarcrm
foreach
kohana
collision-detection
clip-path
android-webview
kairosdb
oxid
opendaylight
sha1
brightway
android-actionbar
wallet
alert
struts
akavache
traveling-salesman
jopendocument
sqldependency
units-of-measurement
folder
paper-trail-gem
schedule
slim-lang
ng2-bootstrap
postgresql-9.6
offset
matlab-compiler
android-geofence
dom4j
pyenv
respect-validation
rythm
rtsp
gem-fury
autodesk-data-management
firefox-developer-edition
html-entities
spring-ide
xmldom
stream-socket-client
history
jcs
riemann
androiddesignsupport
scrollmagic
suitesparse
group
lattice
x12
disconnect
nsoperationqueue
diameter-protocol
usps
pebble-js
ideavim
skbio
personality-insights
hexagonal-tiles
pagecontrol
dcg
cakephp-2.6
jeet-grid
wingdb
touch-typing
quickfixn
qf-test
livescript
azure-worker-roles
serializer
atg-dynamo
visual-studio-setup-proje
lettuce
new-operator
codio
vbaccelerator
ekevent
angularjs-select2
panelgrid
coinbase-php
nsautoreleasepool
simplemembership
setcookie
cron4j
rfc822
esi
report-viewer2010
expresso-store
google-email-audit-api
sup
dancer
nserror
facebook-winjs-sdk
commonsware
jqzoom
clgeocoder
peoplepicker
backlight
gmagick
netduino
carbon-emacs
appointment
dynamic-scope
dojox.gfx
authkit
file-icons
jgrowl

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile