http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

HTTP Spec: Proxy-Authorization and Custom Login Page
How to ignore properties sent via http
How to pass additional info needed for the authorzation using HTTP Basic Auth?
Angular 2 POST Request
Buffering of http requests to Bluemix App
Chain HTTP calls
Fiddler AutoResponder for many post requests
.htaccess force https but only one page with http or https
Delphi. TIdHTTP Post not updating the file. Put gets 405
How to name my custom HTTP codes?
Wireshark Student - I can't see any http post or get requests
Custom subscription in Angular 2 http
How to properly serve a single static file with Gorilla mux?
AWS API Gateway: Add header if response is Unauthorized
Unexpected token < in JSON at position 0: MongoDB => Express => Angular2 (Angular CLI)
HTTP 444 (No Response) instead of 404, 403 error pages?

Categories

HOME
oauth-2.0
internet-explorer
twitter-bootstrap
azure-active-directory
salesforce
dronekit
mifare
jquery-plugins
stdout
thermal-printer
mediarecorder
zabbix
jquery-select2
software-collections
core-data
urllib2
point-of-sale
drush
watson-dialog
browsermob
box2d
css-float
glibc
ampscript
serenity-js
gnu-screen
v4l2
functional-dependencies
poisson
formtastic
openoffice-impress
circle
geocomplete
border-layout
maven-2
redhat-brms
latency
mybatis-generator
redbean
aspnetboilerplate
head
nshttpurlresponse
mef
jks
skype-bots
runtime-permissions
openpgp.js
sharpssh
totalview
stringbuilder
scikit-image
consolidation
settext
diameter-protocol
calc
abstract
skbio
libgcrypt
jts
php-gd
p4python
cakephp-2.6
tinymce-plugins
wingdb
dockerpy
douglas-peucker
static-files
alpha-beta-pruning
famous-engine
cocos2d-x-2.x
windows-search
cs193p
git-subtree
flask-mongoengine
mencoder
raddatepicker
listpicker
forward-declaration
mandelbrot
dd4t
http-compression
cloudmade
system.transactions
gpl
wpml
big-endian
derived-class
xcode4.6.3
socketasynceventargs
unordered-set
inserthtml
cherokee
digg
conditional-operator
calendarextender
djangoappengine
cross-cutting-concerns
cons

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App