http


Sensitive authentication cookie sent using HTTP


Let's say there is a website, which after authentication sets a browser cookie. This cookie is sufficient to authenticate a user, so if I were to transfer it to another computer's browser, the website would consider this browser authenticated.
The website uses HTTPS for all communications, except for the following. Whenever a user sends a request to http://domain.tld/ and gets redirected, the sensetive cookie gets sent in the first request, using HTTP (non-secure).
It seems weird to use HTTPS after sending the key using plain text. Is this a security concern, or am I not understanding this correctly?
Sensitive cookies needs to be protected by Secure attribute. Otherwise, it's easy to be intercepted by active network attacker. According to RFC6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
In this way, sensitive authentication cookie won't be sent in non-HTTPS requests, thus keep it confidential. Example Set-Cookie statement is:
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
However, please note Secure attribute only protect cookie's confidentiality, not integrity:
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity.

Related Links

How to know Content-length
verbs in REST url
Adding HTTP From header in GET request using a Proxy written in C not replied by the Web server
Canonical URL link
How to use request or http module to read gzip page into a string
Meteor HTTP GET crashing inside Mongo loop
What to do if HTTP TRACE request has body?
Custom HTTP method with Nodejs HTTP Server
Yum client configuration: How to use basic authentication with a port other than 80?
What does caching or not-Caching mean when talking about URL parameters (Matrix, Request or Path)
Is it safe to stream HD video?
Chrome & Expires Header - Image Caching
How to use chrome's network debugger with redirects
browser requesting for images after text
Standard way to specify filename with HTTP PUT
HTTP Request Contains Uncouth Characters

Categories

HOME
ftp
netty
fortran
ibm
readdir
datetimepicker
ms-access-2010
autocad
fine-uploader
webseal
web-worker
windows-phone
novacode-docx
xna
connection-pooling
grunt-contrib-uglify
rancher
sasl
symlink
angular2-changedetection
marionette
windows-10-mobile
csproj
ipython-parallel
snapkit
asp.net-webhooks
autodesk-data-management
compiler-warnings
amazon-rds-aurora
bootstrap-carousel
azure-data-catalog
reqif
spring-webflow-2
infovis
text-formatting
skype-bots
reloaddata
blitz3d
strtol
disconnect
jigsaw
sdkman
exchange-server-2007
properties-file
p4python
perfect-scrollbar
asp.net-2.0
strcpy
wingdb
chrome-mobile
xmla
dojox.grid
mind-manager
growl
yosemite
tigase
pnunit
ccmenuitem
.net-reflector
xcode6.1-gm-seed
ardor3d
gmail-imap
biztalk-deployment
boost.build
nsregularexpression
freeimage
report-viewer2010
dancer
win-prolog
inserthtml
umfpack
onunload
text-manipulation
simultaneous
carbon-emacs
zend-acl
memory-consumption

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile