It will be in plain-text if both HTTP and HTTPS are enabled for the
application. If only HTTP, not sent. If only HTTPS, sent encrypted.
Regards, Sandeep
--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy (at) gmail (dot) com [email concealed]>
Sent: Friday, February 26, 2010 6:48 PM
To: <webappsec (at) securityfocus (dot) com [email concealed]>; <webappsec (at) lists.owasp (dot) org [email concealed]>
Subject: Cookie Secure Attribute - Clarification
> Hey Guys,
> A little bit of clarification needed about the 'Secure' attribute to
> be set in a Cookie. I'm looking at Section 4.3.1 in the
> RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute.
> What I understand is - If I programatically set the Cookie attribute
> of say a Session ID to Secure - it shouldn't be sent over an insecure
> channel. Meaning if I have a web server which has HTTP and HTTPS
> enabled, the Secure cookie should NOT be sent if I access the website
> over HTTP. However for some stupid reason which I cannot understand -
> it does get sent even over a HTTP channel. First I though it was coz I
> was accessing the site over localhost , and Secure pertained only to
> stuff on the Network. But its the same behavior over the n/w as well -
> anyone accessing my server over HTTP over the n/w..a cookie gets set
> with the Secure attribute and sent in clear text over the n/w.
>
> Surely something in my implementation or understanding is incorrect.
> What am I missing?
>
> Thnx
> Arvind
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
application. If only HTTP, not sent. If only HTTPS, sent encrypted.
Regards, Sandeep
--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy (at) gmail (dot) com [email concealed]>
Sent: Friday, February 26, 2010 6:48 PM
To: <webappsec (at) securityfocus (dot) com [email concealed]>; <webappsec (at) lists.owasp (dot) org [email concealed]>
Subject: Cookie Secure Attribute - Clarification
> Hey Guys,
> A little bit of clarification needed about the 'Secure' attribute to
> be set in a Cookie. I'm looking at Section 4.3.1 in the
> RFC(http://www.ietf.org/rfc/rfc2109.txt) for the Secure attribute.
> What I understand is - If I programatically set the Cookie attribute
> of say a Session ID to Secure - it shouldn't be sent over an insecure
> channel. Meaning if I have a web server which has HTTP and HTTPS
> enabled, the Secure cookie should NOT be sent if I access the website
> over HTTP. However for some stupid reason which I cannot understand -
> it does get sent even over a HTTP channel. First I though it was coz I
> was accessing the site over localhost , and Secure pertained only to
> stuff on the Network. But its the same behavior over the n/w as well -
> anyone accessing my server over HTTP over the n/w..a cookie gets set
> with the Secure attribute and sent in clear text over the n/w.
>
> Surely something in my implementation or understanding is incorrect.
> What am I missing?
>
> Thnx
> Arvind
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]