tags:

views:

2198

answers:

2
+3  Q: 

Secure cookies and mixed https/http site usage.

Lots of sites appear to support https but don't use secure cookies. I want to make my site use secure cookies but to allow for some content to be accessed using http instead.

A sensible way to do this appears to be to have a secure cookie for the real session, and a non-secure cookie which is just a flag to say if the user is logged in or not (to display different things in the header, like a logout link instead of a login link). This cookie wouldn't contain any "real" session information and is just so that the site can show pages slightly differently for logged-in users compared to logged-out ones on http portions of the site.

Having the whole site as https is another option but this appears to be quite a bit slower than plain http and so is not really ideal.

Why don't sites use this kind of set-up and have secure cookies? The possibility of cookie theft seems to make secure cookies a necessity nowadays. Is there a better way to achieve the same thing?

A: 

From a security standpoint, you should never trust any content sent over a non-secured connection. So with that in mind, then it is safe to use a cookie sent over an unencrypted connection only if the cost of theft or misuse of that cookie is approximately zero.

With that in mind, most sites are designed such that the data isn't allowed to "leak" between the channels. After all, data coming from the encrypted side is usually privileged, and therefore shouldn't be allowed in the normal channel, while data coming from the unencrypted channel is potentially spoofed, and shouldn't be trusted.

If you have data that doesn't fit those generalizations, then feel free to do with it as you please.

tylerl  2009-04-02 10:35:39
+2  A: 

The solution you propose seems like a good one, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header.

The reason it is not used very often may be one of:

  • This scenario may just not be very common. Usually if you care enough to make part of your site secure, you'd restrict the login session just to that secure part, or you'd make the entire site always use HTTPS (like Paypal).
  • Pre-existing solutions exist which are secure and which are capable of more than this, for example logging in someone at an HTTPS login form and maintaining that session while transferring them back to HTTP. OpenID's an example. Also think flickr or gmail: their sign in page is always HTTPS, but once the session's started you migrate back to HTTP while maintaining the session securely.
thomasrutter  2009-04-02 10:37:21
Do you have a link to something which explains how OpenID (or other sites) manage to migrate you back to HTTP but maintain session security? This is what I am failing to understand : having https for login and then insecure cookies and http sessions on a lot of sites...
Legooolas  2009-04-07 13:07:22
The things that most need protecting are the login credentials: whatever you supplied to log in (username/password, or certificate). With OpenID these are sent between yourself and the OpenID provider over HTTPS. OpenID communicates with the client site directly, not needing to send anything
thomasrutter  2009-04-07 13:29:23
sensitive back to the client, but sending a different set of credentials to the client site - ie proof of your OpenID URL encoded with the OpenID provider's private key, so the client site knows that the OpenID provider vouches for this person. Then, the client site maintains the session based
thomasrutter  2009-04-07 13:31:56
... on a session ID, which is single use and does not reveal the user's credentials or personal identity from that session ID. The risk of having the session hijacked (XSS, etc) still exists, but it is secure in that even if that happens, the attacker can't get your login details or OpenID account,
thomasrutter  2009-04-07 13:34:37
OpenID is too complicated to provide security, in my opinion, because ordinary people cannot understand how the security works. Other sites that log you in on an HTTPS host and then transfer you to a HTTP host, the general idea is that at least the login credentials were not sent in plain text.
thomasrutter  2009-04-07 13:37:47
Session hijacking after the login has been performed was something that I was thinking about, and it seems that the only way to avoid this is to use secure cookies.Thanks!
Legooolas  2009-04-07 15:11:00
Secure cookies and HTTPS won't do much to help with that. For example, they don't help with attacks such as XSS or CSRF. It will prevent an attacker reading the contents of the cookie IF you have no XSS vulnerabilities, but clickjacking and CSRF don't even need to attacker to read the cookie.
thomasrutter  2009-04-08 03:35:25

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security