On 12/28/2012 02:39 PM, Reindl Harald wrote:
Am 28.12.2012 20:35, schrieb Robert Moskowitz:
On 12/28/2012 02:09 PM, Reindl Harald wrote:
Am 28.12.2012 20:06, schrieb Robert Moskowitz:
Harald,
I am beginning to see what you are doing; through some foggy glasses. Still need to read more, and today was not a reading day. I am struggling to understand the attack space.
How can the user submit their cookie over an non-ssl connection when the server redirects everything to https? The only senario I have come up with is with the login screen in front of them, the user changes the method to http, enters in their data and sends?
because the browser sends cookies with the HTTP-HEADER at the first connect the redirect from the server is also a header of the RESPONSE at this time the cookie was already sent unencrypted
Ah, such brilliance in overhead reduction.
So your little bit would have to change the cookie content so that the browser is informed that this cookie is only to be sent over a secure connection? Only way I see to stop this behavior is for the cookie to be flagged.
<Directory "/usr/share/roundcube"> php_admin_flag session.cookie_secure "1"
<Directory>
which is still explaind yesterday http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
Yes, I got that and now 'getting it'. Just nit-picking, you use "1" the manual says boolean with the default of off, so just two ways of representing boolean, numeric or label. In my way of thinking (hey, I am dyslexic) labels reduce confusion because there is only off and on (no maybes) while numeric raise a question of "2"...?