http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

Getting bad request response When sending data to server using SIM900
Difference handling virtualhost http and https
How allow protocol upgrade from http1.1 to http2 in curl?
what does -v and -k mean in the curl?
How to serve http partial content with Go?
java client to subscribe to cometd channels
Is it possible for a web service to stop a file upload and return an early response?
Haproxy Appending Port to `HTTP_HOST` Header in Backend Request
Get target URL in squid proxy
The protocol field for curl is empty
Windows Store App HttpClient progress
When to use HTTP Proxy
Disqus API create post, parameter issue: thread id gets posted instead of message
Questions about Access-Control-Allow-Origin and CORS
ngrok - Get all routes to localhost server
Phoenix tests don't accept capitalized response Headers

Categories

HOME
oauth-2.0
youtube-api
grizzly
kendo-ui
netty
intellij-idea
ssh
abc
dronekit
x509certificate
singleton
localhost
sugarcrm
angularjs-directive
atlassian-fisheye
schema
virtualhost
rethinkdb
restheart
yacc
ios-universal-links
rename
hql
appsettings
web-parts
google-street-view
novacode-docx
loader
draw2d
accordion
autologin
url-parameters
bug-reporting
ajaxcontroltoolkit
datazen-server
serenity-js
rndis
emr
multilanguage
machine-code
minitest
perf
device-driver
jslider
aspose.pdf
office-interop
icu
ape-phylo
encoder
npoco
spring-ide
serverless-architecture
hdpi
runtime-permissions
audio-fingerprinting
mongodb-3.3
git-push
normalisation
android-xmlpullparser
angularfire
jsondoc
web-performance
gtkwave
kramdown
database-project
transport
personality-insights
bootstrap-tabs
eggplant
httpmodule
gmaps4jsf
report-builder2.0
qf-test
vundle
enquire.js
xps
kernel-density
autofilter
mahara
mobile-robots
record-locking
extensibility
usersettings
kademlia
pudb
pymel
report-viewer2010
dancer
wxperl
vectorwise
cryptolicensing
response-time
cinder
simultaneous
table-valued-parameters
code-golf
glassfish-embedded
hp-trim
wtsapi32
expander
tracd

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App