On 12/28/2012 02:39 PM, Reindl Harald wrote:
Am 28.12.2012 20:35, schrieb Robert Moskowitz:
On 12/28/2012 02:09 PM, Reindl Harald wrote:
Am 28.12.2012 20:06, schrieb Robert Moskowitz:
Harald,
I am beginning to see what you are doing; through some foggy glasses. Still
need to read more, and today was not a
reading day. I am struggling to understand the attack space.
How can the user submit their cookie over an non-ssl connection when the server
redirects everything to https? The
only senario I have come up with is with the login screen in front of them, the
user changes the method to http,
enters in their data and sends?
because the browser sends cookies with the HTTP-HEADER at the first connect
the redirect from the server is also a header of the RESPONSE
at this time the cookie was already sent unencrypted
Ah, such brilliance in overhead reduction.
So your little bit would have to change the cookie content so that the browser
is informed that this cookie is only
to be sent over a secure connection? Only way I see to stop this behavior is
for the cookie to be flagged.
<Directory "/usr/share/roundcube">
php_admin_flag session.cookie_secure "1"
<Directory>
which is still explaind yesterday
http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
Yes, I got that and now 'getting it'. Just nit-picking, you use "1" the
manual says boolean with the default of off, so just two ways of
representing boolean, numeric or label. In my way of thinking (hey, I
am dyslexic) labels reduce confusion because there is only off and on
(no maybes) while numeric raise a question of "2"...?
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
