Am 28.12.2012 20:35, schrieb Robert Moskowitz: > > On 12/28/2012 02:09 PM, Reindl Harald wrote: >> >> Am 28.12.2012 20:06, schrieb Robert Moskowitz: >>> Harald, >>> >>> I am beginning to see what you are doing; through some foggy glasses. >>> Still need to read more, and today was not a >>> reading day. I am struggling to understand the attack space. >>> >>> How can the user submit their cookie over an non-ssl connection when the >>> server redirects everything to https? The >>> only senario I have come up with is with the login screen in front of them, >>> the user changes the method to http, >>> enters in their data and sends? >> because the browser sends cookies with the HTTP-HEADER at the first connect >> the redirect from the server is also a header of the RESPONSE >> at this time the cookie was already sent unencrypted > > Ah, such brilliance in overhead reduction. > > So your little bit would have to change the cookie content so that the > browser is informed that this cookie is only > to be sent over a secure connection? Only way I see to stop this behavior is > for the cookie to be flagged.
<Directory "/usr/share/roundcube"> php_admin_flag session.cookie_secure "1" <Directory> which is still explaind yesterday http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
