[WEB SECURITY] secure cookie on a public site

Robin Tiwari tiwari.robin at gmail.com
Mon Mar 21 13:34:32 EDT 2011


Important things here to understand about the cookie. Cokkie generally
contains user session ID or may be some other non senstive data.But if
the session ID compromises than it will create a huge risk.

On 3/21/11, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> If a site is running on https channel but the content is not confidential
>> and the site uses a few cookies which are not secure and do not contain
>> any
>> confidential/sensitive data, what is the risk associated here?
>
> In such a case, the primary risk, regardless of how the cookies are
> flagged, is that they may be still set over HTTP (e.g., by
> network-level attackers on wifi networks). Thus, any reliance on them
> within the HTTPS context should be done with extreme caution.
>
> /mz
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>


-- 
Thanks & Regards

Robin Tiwari
Security Anlayst




More information about the websecurity mailing list