Re: "secure" flag for HttpCookies
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 04 Jan 2006 22:31:19 -0800
Hi,
no - i cannot confirm - at least in 2.0
this is part of the source of SetAuthCookie:
if (!context1.Request.IsSecureConnection && FormsAuthentication.RequireSSL)
{
throw new HttpException(SR.GetString("Connection_not_secure_creating_secure_cookie"));
}
haven't checked for 1.1, though
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Dominick,
I checked up on this and confirmed that the issue exists with FormsAuthentication.SetAuthCookie as well. Even when requireSSL is set to true in web.config. The initial "set-cookie" header sent from the server to the client can be sent over HTTP. It just dictates that the client will not send the cookie to the server on all requests. But this doesn't matter cause an attacker can just sniff the cookie on the initial "set-cookie" header from the server.
jas
"Dominick Baier [DevelopMentor]" wrote:
hi,
i mean when requireSSL is set to true.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comHi,
this is at least an inconsistency -
FormsAuthentication.SetAuthCookie enforces SSL when setting the auth ticket.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
.
- Follow-Ups:
- Re: "secure" flag for HttpCookies
- From: Nicole Calinoiu
- Re: "secure" flag for HttpCookies
- Prev by Date: Unable to emit assmebly
- Next by Date: Re: Validating an assembly
- Previous by thread: Re: "secure" flag for HttpCookies
- Next by thread: Re: "secure" flag for HttpCookies
- Index(es):
Relevant Pages
|
|
