On 12/28/2012 02:22 PM, Reindl Harald wrote:
Am 28.12.2012 20:19, schrieb Benny Pedersen:
Robert Moskowitz skrev den 2012-12-28 20:06:
Any connection to http://webmail.foo.com gets returned as
https://webmail.foo.com It took a bit of reading to get to this
setup.
http:// link should be seperate documentroot in apache with a diff content on
that homepage that just say use
https:// to get webmail access
you did still not understand basics
if the cookies itself are not flagged with "secure only" the
different docroot does not help in any way
This basic browser behavior fact is critical in understanding the attack
space against cookie content.
Thank you for the edification.
- you can place
any redirect, info-page or whatever to the http:// site
but after get the cookie from https:// roundcube and call
the http// URL you will send your cookie UNECNRYPTED
why?
because cookies are DOMAIN based
the domain is the same
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
