homepage Welcome to WebmasterWorld Guest from 67.202.56.112
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Passing Cookies
How do I prevent the unsecure passing of browser cookies?
rcshield




msg:3789736
 4:48 pm on Nov 19, 2008 (gmt 0)

I was recently alerted that one our online forms is passing cookies from the client browser to our host in an unsecure fashion (SSL security is not invoked). I recently set up the form to only load then SSL security is in place. Does the client need to clear his or her cookies or cache?
Please let me know if you need more information.

 

enigma1




msg:3795393
 11:53 am on Nov 27, 2008 (gmt 0)

I suppose you would have to setup a different cookie once the connection is secure. The common mistake many sites do (including popular ones) is that they allow switching from secure to non-secure pages with the same session/cookie. Eg:
1. we goto http://www.example.com
2. we login via the secure form at https://www.example.com/login.asp
3. and we can browse the store (while logged-in) at:
http://www.example.com/products_to_buy.asp
http://www.example.com/cart.asp
etc...
Do you see the problem? Sessions/Cookies are now passed via non-secure connections. Theoretically one should maintain secure connections from the moment someone logs-in till he logs-out (or the session expires and so another set of cookies is sent). But most feel that slows down page loading and they don't care about security even if they have the expensive EV SSL in place.

rcshield




msg:3797545
 4:09 pm on Dec 1, 2008 (gmt 0)

Thank you, enigma1. Do you recommend that I create secure and non-secure cookies for my online form? Do you think that this will resolve the problem? Thank you for your help.

enigma1




msg:3797671
 6:55 pm on Dec 1, 2008 (gmt 0)

rcshield, You could maintain different cookies. I am using just one, a session cookie, for simplicity, but it goes like this. Visitor comes into the site, browses the secure/non-secure pages, but the moment he logs-in, I destroy the session cookie (removing it from the database) and create a new session and send another cookie. Then I instruct the code to maintain secure mode throughout the new session. If someone attempts to use a non-secure page with the cookie from the secure session you could block it or destroy the session right then. (eg: if say someone tries to change from https to http a page manually while he's logged in).

Depends on the site and implementation. Although a bit more complex, you could create a separate session and send a different cookie for secure vs non-secure pages. I simplify it with one session and maintaining SSL after login, because I would have to join certain components of the 2 sessions (eg: products in the shopping cart, layout details) which is complicated.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved