http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

A program/script that returns all the resources called by the URL
how to send a multi-part POST with curl without knowing total size of input
Every HTML/JSP page only has these weird characters
Nginx: redirect custom domain http requests to https
Why is do_GET much faster than do_POST
Force HTTP1.1 instead of HTTP2 through Proxy (Charles)
How to verify a mobile app client has established a keep-alive https connection with Azure web service
Angular2 RC6 Custom RequestOption Behaviour When CORS Post Request
I can't update my vm array from htpp response
Should HTTP proxy copy Content-Encoding header back to client?
.then handler being invoked out of order
Limit of Image URL's length in Internet Explorer
Angular2 http get request with Observables and dynamic url params. How to?
Extra space in HTTP headers gives 400 error on HAProxy
Change ip address java?
which HTTP traffic monitoring tool can replace Fiddler

Categories

HOME
ftp
customization
dynamic
postsharp
spotfire
cryengine
arguments
vsixmanifest
samsung-gear-s2
sahi
ejb-3.0
angularjs-ng-repeat
point-of-sale
captcha
mbed
hql
jsfiddle
tag-cloud
greensock
template10
web-parts
ibatis
autologin
react-jsx
sonarlint
xna
wai-aria
oracle-golden-gate
struts
waterfall
orgchart
utc
angular2-changedetection
resx
meteor-accounts
sphinx4
federated
paper-trail-gem
selenium3
ios-autolayout
tikz
choco
imdb
jibx
pygraphviz
ui-grid
glide-image-library
paperclip
xmldom
stanford-nlp-server
cloudconvert
seyren
printer-control-language
scrollmagic
easy68k
tinybox2
magick.net
archiva
sqlxml
nugetgallery
periodic-processing
firefox-os
random-sample
textblob
vensim
euro
photogrammetry
radgrid
google-experiments
alpha-beta-pruning
xcode5
api-eveonline
oxygenxml
visual-c#-express-2010
scjp
behance-api
dateadd
winrun4j
opencobol
android-jack-and-jill
.net-reflector
grunt-wiredep
google-oauth-java-client
wpd
panelgrid
uikit-dynamics
brew
algol
gssapi
mail-gem
android-memory
google-email-audit-api
mvcmailer
inserthtml
joomla1.7
discussion-board
peoplepicker
sessiontracking
norton
http-response-codes
mediastreamsource
table-valued-parameters
time-management
unauthorized

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App