Re: [WebDNA] Setting secure cookie
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 102500
interpreted = N
texte = Stuart Tremain wrote:> Donovan> > This cookie thing is becoming one of the standard security scans from > people such as McAfee Secure from https://www.mcafeesecure.com> > Description> The application sets a cookie over a secure channel without using the > "secure" attribute. RFC states that if the cookie does not have the > secure attribute assigned to it, then the cookie can be passed to the > server by the client over non-secure channels (http). Using this attack, > an attacker may be able to intercept this cookie, over the non-secure > channel, and use it for a session hijacking attack.> > General Solution> It is best business practice that any cookies that are sent (set-cookie) > over an SSL connection to explicitly state secure on them.yes, as I described ;-)... however, a highjacker should not be ableto get into sensitive customer info regardless. As I said, thereare *many* means to keep user info secure... which is the end goalhere no matter what McAfee says. Encryption, Authentication, andcookie/orderfile strategy can all work together to keep things safe..> Doing a redirect if not https - WebDNA does not detect https !It doesn't have a push button solution.. no.> You noted in an earlier post (8 April 09)> "I don't know of many other WebDNA specific ways of finding this, so we > *will* make one! :-)"Yes I did. :-)> I look forward to BOTH additions !!!Me 2.Donovan-- Donovan BrookeWebDNA Software Corporationhttp://www.webdna.us**[Square Bracket Utopia]**
Associated Messages, from the most recent to the oldest:
Stuart Tremain wrote:> Donovan> > This cookie thing is becoming one of the standard security scans from > people such as McAfee Secure from https://www.mcafeesecure.com> > Description> The application sets a cookie over a secure channel without using the > "secure" attribute. RFC states that if the cookie does not have the > secure attribute assigned to it, then the cookie can be passed to the > server by the client over non-secure channels (http). Using this attack, > an attacker may be able to intercept this cookie, over the non-secure > channel, and use it for a session hijacking attack.> > General Solution> It is best business practice that any cookies that are sent (set-cookie) > over an SSL connection to explicitly state secure on them.yes, as I described ;-)... however, a highjacker should not be ableto get into sensitive customer info regardless. As I said, thereare *many* means to keep user info secure... which is the end goalhere no matter what McAfee says. Encryption, Authentication, andcookie/orderfile strategy can all work together to keep things safe..> Doing a redirect if not https - WebDNA does not detect https !It doesn't have a push button solution.. no.> You noted in an earlier post (8 April 09)> "I don't know of many other WebDNA specific ways of finding this, so we > *will* make one! :-)"Yes I did. :-)> I look forward to BOTH additions !!!Me 2.Donovan-- Donovan BrookeWebDNA Software Corporationhttp://www.webdna.us**[Square Bracket Utopia]**
Donovan Brooke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
sorting by date (1999)
Assigning Serialized Customer Numbers (1997)
Date Sorting (1997)
HomePage Caution (1997)
how is this possible (2000)
GetWords (2004)
WebCat2: Items xx to xx shown, etc. (1997)
using showpage and showcart commands (1996)
Country & Ship-to address & other fields ? (1997)
Up and running ... at last !! (1997)
[include] and v.email (1998)
Problems getting parameters passed into email. (1997)
Sending emails (went[ot] ) (2002)
[WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009)
Progress !! WAS: Trouble with formula.db (1997)
[COMMITDATABASE FileName] (2000)
Processing all html files through WebCat or Typhoon (1998)
Emailer (1997)
test (2000)
Nested tags count question (1997)