This is not a function of the server as far as I know.
Here are 2 hacks that come to mind: Prevent port 80 from executing Witango files. Lock the Witango application to port 443 at the web server level. Disable the automatic assignment of the userreferencecookie using the config variable senduserreferencecookie [TRUE|FALSE] (valid in all scopes) then support sessions control yourself. The docs say to use post & search args to pass the userreference, however you might test what happens if you manually set the cookie under the proper conditions (upon which you can set the secure flag) Robert _____ From: Chuck Lockwood [mailto:[email protected]] Sent: Tuesday, August 11, 2009 12:36 PM To: WiTango-Talk Subject: Witango-Talk: USERREFERENCECOOKIE Hi all, Anyone know how to force the "secure" attribute on the USERREFERENCECOOKIE? The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. Chuck Lockwood President ............................................ 309 Main Avenue Hawley, Pa 18428 (P) 570.226.7340 (F) 570.226.7341 www.lockdata.com <http://www.lockdata.com/> ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
<<image001.jpg>>
