Comments on: Simple Lesson on Secure Cookies

By: Mike

Mike — Tue, 29 Sep 2009 20:53:47 +0000

I completely agree with this article. However, I would like to point out that the fact that browsers have to provide a bypass for certs is in part due to the fact that some websites don’t do their certs right or let them expire – and yes, without the bypass, it would break the web. I just wanted to make sure that we acknowledge that the cert issue is due mostly to laziness on the part of the website admin.

By: Anonymous

Anonymous — Sat, 27 Sep 2008 12:23:39 +0000

Sorry, example HTML got stripped out of my comment. The image tag would look like this:

{img src=”http://www.facebook.com/favicon.ico”}

where { and } are replaced by less-than and greater-than symbols

By: Anonymous

Anonymous — Sat, 27 Sep 2008 12:20:59 +0000

@Andre Gironda: I don’t think you understand the vulnerability caused by insecure session cookies. Even though you are restricting your own navigating to HTTPS-only, it is amazingly for an attacker to force your browser to send your cookies over an insecure connection (non-HTTPS). That’s why it’s so big a problem.

For example, to force a browser to leak all of its Facebook cookies, insert an image tag like this into ANY web page your browser loads ANYWHERE:

Now that the attacker has read the session cookies that you’ve leaked, he can simply copy them to his own browser and browse away as if he were you.

(Facebook was used as a simple and well-known example target. Obviously this has security implications far beyond Facebook, most worryingly for banking and other financial websites.)

By: Andre Gironda

Andre Gironda — Fri, 12 Sep 2008 21:55:50 +0000

After playing around with .google.com, http://www.google.com, and mail.google.com cookies – it appears that one or all of the apps will still set an unencrypted SID cookie for .google.com. Sigh.

I am going to stick with my old methods of doing things, which basically is “never go to a Google domain of any kind unless it’s SSL – when I’m authenticated to any Google application, especially GMail”.

As an example, GMail is marking this cookie without the secure flagh
gmailchat=username@gmail.com/111111

By: Dylan Kelcher

Dylan Kelcher — Fri, 12 Sep 2008 20:46:30 +0000

Yes, yes and yes. Great stuff, thank you.

I’m working on a few Greasemonkey scripts (to be ported to an extension later on) for just this very thing.

My first visit to your site, but based on this, you’re a bookmarked regular now. Many thanks brother.

By: Lesson on Secure Cookies « 100% free

Lesson on Secure Cookies « 100% free — Thu, 11 Sep 2008 07:12:45 +0000

[...] Article Source (Continued) [...]

By: Andre Gironda

Andre Gironda — Wed, 10 Sep 2008 00:18:12 +0000

MikeA: I use Firecookie, too.

I used to use Add N Edit Cookies. I still use CookieCuller to mark cookies as protected (for ones that I want to keep around a long time). Although setting cookies as secure doesn’t have the same feeling if I have to do it manually.

Billy’s method is neat (especially if automated with Technika) and gave me some new ideas. Rock on!

By: Mike A.

Mike A. — Tue, 09 Sep 2008 12:28:40 +0000

“we could also use a browser plugin with a nice UI and fine grained control over each cookie attribute…”

The Firecookie add-on can be used to edit cookies and set them to secure.