Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

"secure" flag for HttpCookies

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jas - 31 Dec 2005 21:26 GMT
The "secure" cookie option dictates that the value of the cookie should only
be sent over (unspecified) secure means.  In practice this has come to mean
over SSL.  This is critical in keeping session cookies safe from prying eyes.
If the user-agent does not send a sensitive session cookie over HTTP, an
attacker would have to look at other means of stealing this cookie.  

Turns out this requirement does not apply to the initial set-cookie response
sent from the server to the client, so an attacker can just look for the
set-cookie header and hijack the session of the victim.  This helps defeat a
lot of the benefits of the "secure" flag.

I tested this out in ASP.NET v1.1(and J2EE) and confirmed that ASP.NET does
not ensure that the response from the server is encrypted.  Shouldn't this be
enforced by ASP.NET?  This can be done through a custom HttpHandler but it
should be done by the framework.  

Comments?

regards,
Jas
Reply to this Message
Nicole Calinoiu - 01 Jan 2006 13:41 GMT
This particular option really is about client behaviour, not server
behaviour, so what you're seeing is probably the intended behaviour.  The
developer of a web application does have other approaches available for
ensuring that cookies only get transmitted from the server when appropriate.
That said, far too many developers are blissfully unaware of such issues,
and adding server-side protection certainly wouldn't hurt*.  Why not submit
a suggestion at http://lab.msdn.microsoft.com/ProductFeedback/ if you think
it ought to be added?

*Although I suspect it would end up being added as a separate option in
order to avoid potential problems in existing applications.

> The "secure" cookie option dictates that the value of the cookie should
> only
[quoted text clipped - 23 lines]
> regards,
> Jas
Reply to this Message
Jas - 02 Jan 2006 00:00 GMT
Nicole,

Agreed.  It's not a requirement as per the RFC but it would add to the
security.  As you recommended, I have filed a suggestion.  If you can could
you vote on it. The suggestion ID is FDBK43174.

regards,
Jas

> This particular option really is about client behaviour, not server
> behaviour, so what you're seeing is probably the intended behaviour.  The
[quoted text clipped - 35 lines]
> > regards,
> > Jas
Reply to this Message
Dominick Baier [DevelopMentor] - 02 Jan 2006 19:19 GMT
Hi,

this is at least an inconsistency -

FormsAuthentication.SetAuthCookie enforces SSL when setting the auth ticket.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Nicole,
>
[quoted text clipped - 50 lines]
>>> regards,
>>> Jas
Reply to this Message
Dominick Baier [DevelopMentor] - 02 Jan 2006 21:22 GMT
hi,

i mean when requireSSL is set to true.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
[quoted text clipped - 60 lines]
>>>> regards,
>>>> Jas
Reply to this Message
Jas - 05 Jan 2006 01:50 GMT
Dominick,

I checked up on this and confirmed that the issue exists with
FormsAuthentication.SetAuthCookie as well.  Even when requireSSL is set to
true in web.config.  The initial "set-cookie" header sent from the server to
the client can be sent over HTTP.  It just dictates that the client will not
send the cookie to the server on all requests.  But this doesn't matter cause
an attacker can just sniff the cookie on the initial "set-cookie" header from
the server.

jas

> hi,
>
[quoted text clipped - 14 lines]
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
Reply to this Message
Dominick Baier [DevelopMentor] - 05 Jan 2006 06:31 GMT
Hi,

no - i cannot confirm - at least in 2.0

this is part of the source of SetAuthCookie:

 if (!context1.Request.IsSecureConnection && FormsAuthentication.RequireSSL)
     {
           throw new HttpException(SR.GetString("Connection_not_secure_creating_secure_cookie"));
     }

haven't checked for 1.1, though

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Dominick,
>
[quoted text clipped - 25 lines]
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.co
Reply to this Message
Nicole Calinoiu - 05 Jan 2006 12:11 GMT
It looks like 1.1 doesn't apply the same verification (looked at decompiled
assembly, but didn't test it).

> Hi,
> no - i cannot confirm - at least in 2.0
[quoted text clipped - 43 lines]
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
Reply to this Message
Jas - 05 Jan 2006 14:50 GMT
Dominick,

Yes, I should have specified - I was talking about 1.1.  I tested it out in
a lab environment.

jas

> It looks like 1.1 doesn't apply the same verification (looked at decompiled
> assembly, but didn't test it).
[quoted text clipped - 28 lines]
> >>
> >> jas
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.