Re: [Wt-interest] Secure Cookies for Sessions Patch

Thu, 23 Jun 2011 01:17:22 -0700 

hey all:
I never believe the "secure" cookies, so never use cookies about user info.
br
Zhimin

2011/6/23 Koen Deforche <[email protected]>

> Hey Matthew,
>
> 2011/6/23 Matthew Sherborne <[email protected]>:
> > Hi guys,
> >
> > I read these slides on how to hack sites that don't set the 'secure'
> > flag on their cookies:
> > http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
> >
> > So as I'm working on a 'logged in user session' thing that outlives
> > witty sessions. I've added this patch to wt git master.
>
> I agree with the general thought of this patch.
>
> I also think that if the developer wants to set a "secure" cookie, the
> cookie should only be set if a secure connection is being used.
>
> The only problem is that not in all circumstances, Wt knows whether
> the request comes over a secure connection. When using FastCGI or
> ISAPI or when deployed (e.g. with the built-in httpd) behind a reverse
> proxy that acts as an OpenSSL terminator, we would wrongly assume that
> the connection is not secure. So it would need something that can be
> configured/customized, but the default behaviour of looking at the
> used schema (http versus https) would at least not be unsafe.
>
> While reading up on the Secure option, I've also come across HttpOnly
> which I believe we should always set.
>
> Regards,
> koen
>
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with
> vRanger.
> Installation's a snap, and flexible recovery options mean your data is
> safe,
> secure and there when you need it. Data protection magic?
> Nope - It's vRanger. Get your free trial download today.
> http://p.sf.net/sfu/quest-sfdev2dev
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>



-- 
我的博客:http://hi.baidu.com/zhmsong;

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest

Reply via email to