[OWASP-TESTING] final draft of the outline

Stephen Venter stephen.venter at gmail.com
Mon May 9 18:12:10 EDT 2005


Hi

A comment about secure cookies: 

On 5/4/05, Eoin Keary <eoinkeary at hotmail.com> wrote:
> Authentication:
> •     Token storage? (If not marked as 'secure' a cookie will be stored on hard
> disk)
> 
> This is also true if the cookie not transient. Has an expiry date. The main
> reason for the cookie flag to be set id to assure is can only be sent via
> SSL

As far as I have observed, the secure attribute for a cookie is only
used to instruct the client web browser to transmit that cookie over a
"secure", i.e. SSL/TLS/HTTPS, connection [thus not in clear text
HTTP].

While it is the expiry date that determines whether it is written to
hard disk or not (irrespective of whether or not the secure attribute
has been set). So if the expiry date is set in the future, the cookie
is written to disk for future use, even if the secure attribute is
set.

With reference to RFC2109 I like to describe the risk here as:
This optional attribute "directs the user agent to use only secure
means to contact the origin server" (per the RFC2109 of 1997:
http://www.faqs.org/rfcs/rfc2109.html).  Therefore, without the
"secure" attribute there is the risk that a user may have his web
browser submit the cookie details in an insecure way, thus revealing
potentially valuable details regarding his session.  This, in turn,
could allow his session to be hijacked by a malicious unauthorised
user.

Regards
Steve


More information about the Owasp-testing mailing list