On 12/28/2012 02:22 PM, Reindl Harald wrote:
Am 28.12.2012 20:19, schrieb Benny Pedersen:
Robert Moskowitz skrev den 2012-12-28 20:06:
Any connection to http://webmail.foo.com gets returned as https://webmail.foo.com It took a bit of reading to get to this setup.
http:// link should be seperate documentroot in apache with a diff content on that homepage that just say use https:// to get webmail access
you did still not understand basics
if the cookies itself are not flagged with "secure only" the different docroot does not help in any way
This basic browser behavior fact is critical in understanding the attack space against cookie content.
Thank you for the edification.
- you can place
any redirect, info-page or whatever to the http:// site but after get the cookie from https:// roundcube and call the http// URL you will send your cookie UNECNRYPTED
why?
because cookies are DOMAIN based the domain is the same