Hi all,
Anyone know how to force the "secure" attribute on the USERREFERENCECOOKIE? The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. Chuck Lockwood President ............................................ 309 Main Avenue Hawley, Pa 18428 (P) 570.226.7340 (F) 570.226.7341 www.lockdata.com <http://www.lockdata.com/> ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
<<image001.jpg>>
