homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

Passing Cookies
How do I prevent the unsecure passing of browser cookies?

5+ Year Member

Msg#: 3789734 posted 4:48 pm on Nov 19, 2008 (gmt 0)

I was recently alerted that one our online forms is passing cookies from the client browser to our host in an unsecure fashion (SSL security is not invoked). I recently set up the form to only load then SSL security is in place. Does the client need to clear his or her cookies or cache?
Please let me know if you need more information.



WebmasterWorld Senior Member 5+ Year Member

Msg#: 3789734 posted 11:53 am on Nov 27, 2008 (gmt 0)

I suppose you would have to setup a different cookie once the connection is secure. The common mistake many sites do (including popular ones) is that they allow switching from secure to non-secure pages with the same session/cookie. Eg:
1. we goto http://www.example.com
2. we login via the secure form at https://www.example.com/login.asp
3. and we can browse the store (while logged-in) at:
Do you see the problem? Sessions/Cookies are now passed via non-secure connections. Theoretically one should maintain secure connections from the moment someone logs-in till he logs-out (or the session expires and so another set of cookies is sent). But most feel that slows down page loading and they don't care about security even if they have the expensive EV SSL in place.


5+ Year Member

Msg#: 3789734 posted 4:09 pm on Dec 1, 2008 (gmt 0)

Thank you, enigma1. Do you recommend that I create secure and non-secure cookies for my online form? Do you think that this will resolve the problem? Thank you for your help.


WebmasterWorld Senior Member 5+ Year Member

Msg#: 3789734 posted 6:55 pm on Dec 1, 2008 (gmt 0)

rcshield, You could maintain different cookies. I am using just one, a session cookie, for simplicity, but it goes like this. Visitor comes into the site, browses the secure/non-secure pages, but the moment he logs-in, I destroy the session cookie (removing it from the database) and create a new session and send another cookie. Then I instruct the code to maintain secure mode throughout the new session. If someone attempts to use a non-secure page with the cookie from the secure session you could block it or destroy the session right then. (eg: if say someone tries to change from https to http a page manually while he's logged in).

Depends on the site and implementation. Although a bit more complex, you could create a separate session and send a different cookie for secure vs non-secure pages. I simplify it with one session and maintaining SSL after login, because I would have to join certain components of the 2 sessions (eg: products in the shopping cart, layout details) which is complicated.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved