Msg#: 3789734 posted 4:48 pm on Nov 19, 2008 (gmt 0)
I was recently alerted that one our online forms is passing cookies from the client browser to our host in an unsecure fashion (SSL security is not invoked). I recently set up the form to only load then SSL security is in place. Does the client need to clear his or her cookies or cache? Please let me know if you need more information.
Msg#: 3789734 posted 11:53 am on Nov 27, 2008 (gmt 0)
I suppose you would have to setup a different cookie once the connection is secure. The common mistake many sites do (including popular ones) is that they allow switching from secure to non-secure pages with the same session/cookie. Eg: 1. we goto http://www.example.com 2. we login via the secure form at https://www.example.com/login.asp 3. and we can browse the store (while logged-in) at: http://www.example.com/products_to_buy.asp http://www.example.com/cart.asp etc... Do you see the problem? Sessions/Cookies are now passed via non-secure connections. Theoretically one should maintain secure connections from the moment someone logs-in till he logs-out (or the session expires and so another set of cookies is sent). But most feel that slows down page loading and they don't care about security even if they have the expensive EV SSL in place.
Msg#: 3789734 posted 6:55 pm on Dec 1, 2008 (gmt 0)
rcshield, You could maintain different cookies. I am using just one, a session cookie, for simplicity, but it goes like this. Visitor comes into the site, browses the secure/non-secure pages, but the moment he logs-in, I destroy the session cookie (removing it from the database) and create a new session and send another cookie. Then I instruct the code to maintain secure mode throughout the new session. If someone attempts to use a non-secure page with the cookie from the secure session you could block it or destroy the session right then. (eg: if say someone tries to change from https to http a page manually while he's logged in).
Depends on the site and implementation. Although a bit more complex, you could create a separate session and send a different cookie for secure vs non-secure pages. I simplify it with one session and maintaining SSL after login, because I would have to join certain components of the 2 sessions (eg: products in the shopping cart, layout details) which is complicated.