Welcome to WebmasterWorld Guest from 54.226.246.160

Forum Moderators: phranque

Message Too Old, No Replies

Passing Cookies

How do I prevent the unsecure passing of browser cookies?

     

rcshield

4:48 pm on Nov 19, 2008 (gmt 0)

5+ Year Member



I was recently alerted that one our online forms is passing cookies from the client browser to our host in an unsecure fashion (SSL security is not invoked). I recently set up the form to only load then SSL security is in place. Does the client need to clear his or her cookies or cache?
Please let me know if you need more information.

enigma1

11:53 am on Nov 27, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I suppose you would have to setup a different cookie once the connection is secure. The common mistake many sites do (including popular ones) is that they allow switching from secure to non-secure pages with the same session/cookie. Eg:
1. we goto http://www.example.com
2. we login via the secure form at [example.com...]
3. and we can browse the store (while logged-in) at:
http://www.example.com/products_to_buy.asp
http://www.example.com/cart.asp
etc...
Do you see the problem? Sessions/Cookies are now passed via non-secure connections. Theoretically one should maintain secure connections from the moment someone logs-in till he logs-out (or the session expires and so another set of cookies is sent). But most feel that slows down page loading and they don't care about security even if they have the expensive EV SSL in place.

rcshield

4:09 pm on Dec 1, 2008 (gmt 0)

5+ Year Member



Thank you, enigma1. Do you recommend that I create secure and non-secure cookies for my online form? Do you think that this will resolve the problem? Thank you for your help.

enigma1

6:55 pm on Dec 1, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



rcshield, You could maintain different cookies. I am using just one, a session cookie, for simplicity, but it goes like this. Visitor comes into the site, browses the secure/non-secure pages, but the moment he logs-in, I destroy the session cookie (removing it from the database) and create a new session and send another cookie. Then I instruct the code to maintain secure mode throughout the new session. If someone attempts to use a non-secure page with the cookie from the secure session you could block it or destroy the session right then. (eg: if say someone tries to change from https to http a page manually while he's logged in).

Depends on the site and implementation. Although a bit more complex, you could create a separate session and send a different cookie for secure vs non-secure pages. I simplify it with one session and maintaining SSL after login, because I would have to join certain components of the 2 sessions (eg: products in the shopping cart, layout details) which is complicated.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month