Re: [WebDNA] Setting secure cookie

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102493
interpreted = N
texte = Donovan This cookie thing is becoming one of the standard security scans from people such as McAfee Secure from https://www.mcafeesecure.com Description The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non- secure channel, and use it for a session hijacking attack. General Solution It is best business practice that any cookies that are sent (set- cookie) over an SSL connection to explicitly state secure on them. Doing a redirect if not https - WebDNA does not detect https ! You noted in an earlier post (8 April 09) "I don't know of many other WebDNA specific ways of finding this, so we *will* make one! :-)" I look forward to BOTH additions !!! Stuart Tremain wrote: > "It is best business practice that any cookies that are sent > (set-cookie) over an SSL connection to explicitly state secure on them." > > Can this be done in WebDNA [setcookie] ? No., but you could do it using [returnraw] I suppose. The 'secure' param is suggestion that user agents (browsers) only serve cookies with this param set if the connection is with SSL. You could easily force the issue anyway.. perhaps by doing a redirect if the connection is not https. There are a number of ways to secure sessions which don't require the 'secure' param to be set on a cookie. However, I will put that on the list of features to add, as I think it is a good one. Meanwhile, here is an RFC if you want to roll your own: http://www.ietf.org/rfc/rfc2965.txt Donovan -- Donovan Brooke WebDNA Software Corporation http://www.webdna.us **[Square Bracket Utopia]** Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Setting secure cookie (Donovan Brooke 2009)
  2. Re: [WebDNA] Setting secure cookie (Stuart Tremain 2009)
  3. Re: [WebDNA] Setting secure cookie (Donovan Brooke 2009)
  4. [WebDNA] Setting secure cookie (Stuart Tremain 2009)
Donovan This cookie thing is becoming one of the standard security scans from people such as McAfee Secure from https://www.mcafeesecure.com Description The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non- secure channel, and use it for a session hijacking attack. General Solution It is best business practice that any cookies that are sent (set- cookie) over an SSL connection to explicitly state secure on them. Doing a redirect if not https - WebDNA does not detect https ! You noted in an earlier post (8 April 09) "I don't know of many other WebDNA specific ways of finding this, so we *will* make one! :-)" I look forward to BOTH additions !!! Stuart Tremain wrote: > "It is best business practice that any cookies that are sent > (set-cookie) over an SSL connection to explicitly state secure on them." > > Can this be done in WebDNA [setcookie] ? No., but you could do it using [returnraw] I suppose. The 'secure' param is suggestion that user agents (browsers) only serve cookies with this param set if the connection is with SSL. You could easily force the issue anyway.. perhaps by doing a redirect if the connection is not https. There are a number of ways to secure sessions which don't require the 'secure' param to be set on a cookie. However, I will put that on the list of features to add, as I think it is a good one. Meanwhile, here is an RFC if you want to roll your own: http://www.ietf.org/rfc/rfc2965.txt Donovan -- Donovan Brooke WebDNA Software Corporation http://www.webdna.us **[Square Bracket Utopia]** Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Tcp Connect and IPaddress (2000) SV: Mass Mail (2000) ListFields and [name] (1997) URL for Discussion Archive (1997) Rhapsody? (1997) Thanks Grant (1997) [protect] on NT? (1997) two unique banners on one page (1997) [WebDNA] Override price in Wd8.5 (2017) Locking up with WebCatalog... (1997) Old Topic - [OT] - server speeds. (2002) Re(2): [WebDNA] Web Hosting (2008) Where is f2? (1997) two unique banners on one page (1997) possible to oscillate between a [redirect] and [authenticate] every other login attempt? (2000) SMSI FTP - calander system (2002) Understanding texta (1997) web hosting (2000) Gantt style chart (2004) shipping calculations, lookup command (1997)