Re: [WebDNA] Setting secure cookie

This WebDNA talk-list message is from

2009

It keeps the original formatting. numero = 102500
interpreted = N
texte = Stuart Tremain wrote:> Donovan> > This cookie thing is becoming one of the standard security scans from > people such as McAfee Secure from https://www.mcafeesecure.com> > Description> The application sets a cookie over a secure channel without using the > "secure" attribute. RFC states that if the cookie does not have the > secure attribute assigned to it, then the cookie can be passed to the > server by the client over non-secure channels (http). Using this attack, > an attacker may be able to intercept this cookie, over the non-secure > channel, and use it for a session hijacking attack.> > General Solution> It is best business practice that any cookies that are sent (set-cookie) > over an SSL connection to explicitly state secure on them.yes, as I described ;-)... however, a highjacker should not be ableto get into sensitive customer info regardless. As I said, thereare *many* means to keep user info secure... which is the end goalhere no matter what McAfee says. Encryption, Authentication, andcookie/orderfile strategy can all work together to keep things safe..> Doing a redirect if not https - WebDNA does not detect https !It doesn't have a push button solution.. no.> You noted in an earlier post (8 April 09)> "I don't know of many other WebDNA specific ways of finding this, so we > *will* make one! :-)"Yes I did. :-)> I look forward to BOTH additions !!!Me 2.Donovan-- Donovan BrookeWebDNA Software Corporationhttp://www.webdna.us**[Square Bracket Utopia]** Associated Messages, from the most recent to the oldest:

Re: [WebDNA] Setting secure cookie (Donovan Brooke 2009)
Re: [WebDNA] Setting secure cookie (Stuart Tremain 2009)
Re: [WebDNA] Setting secure cookie (Donovan Brooke 2009)
[WebDNA] Setting secure cookie (Stuart Tremain 2009)

Stuart Tremain wrote:> Donovan> > This cookie thing is becoming one of the standard security scans from > people such as McAfee Secure from https://www.mcafeesecure.com> > Description> The application sets a cookie over a secure channel without using the > "secure" attribute. RFC states that if the cookie does not have the > secure attribute assigned to it, then the cookie can be passed to the > server by the client over non-secure channels (http). Using this attack, > an attacker may be able to intercept this cookie, over the non-secure > channel, and use it for a session hijacking attack.> > General Solution> It is best business practice that any cookies that are sent (set-cookie) > over an SSL connection to explicitly state secure on them.yes, as I described ;-)... however, a highjacker should not be ableto get into sensitive customer info regardless. As I said, thereare *many* means to keep user info secure... which is the end goalhere no matter what McAfee says. Encryption, Authentication, andcookie/orderfile strategy can all work together to keep things safe..> Doing a redirect if not https - WebDNA does not detect https !It doesn't have a push button solution.. no.> You noted in an earlier post (8 April 09)> "I don't know of many other WebDNA specific ways of finding this, so we > *will* make one! :-)"Yes I did. :-)> I look forward to BOTH additions !!!Me 2.Donovan-- Donovan BrookeWebDNA Software Corporationhttp://www.webdna.us**[Square Bracket Utopia]** Donovan Brooke

DOWNLOAD WEBDNA NOW!

Re: [WebDNA] Setting secure cookie

2009

Top Articles:

Related Readings: