how SSL & cookies work?
The cookies can be set per protocol, so that HTTPS cookies are not used for HTTP and vice versa. Also, the properly constructed secure token should include an IP address and have short expiration time.
But in general the best idea is of course to keep the authenticated session in secure channel - SSL is not that heavyweight these days (as computers became much faster than when SSL was first introduced) and also the heaviest part is handshake, which is performed only once if persistent HTTP connection is used (or when SSL session resuming is used).
Comments
-
iraSenthil almost 2 years
I understand, we use SSL to encrypt sensitive data like user name and password to transported to server without people in the network eavesdropping. So then server returns a secure token over HTTPS and its stored in cookie. We switch to HTTP after we have secure token, we attach cookie/secure token header to every HTTP request.
Now anybody can see my secure token and they can eavesdrop it and impersonate me. Is my understanding correct?
-
iraSenthil about 13 yearsSo If I just close the browser and didn't logout and somebody navigates to the site within the session expiration time, they can see my account details. Is my understanding correct? – iraSenthil 0 secs ago edit
-
iraSenthil about 13 years//The cookies can be set per protocol, so that HTTPS cookies are not used for HTTP and vice versa.// How does it help if I want to use cookie for identifying client? Once I switch it to HTTP, then my identity is up in the air, anybody can grab it right?
-
Eugene Mayevski 'Callback about 13 years@irasenthil 1. Even if you don't close the browser, the cookie can be stolen from computer memory and misused. But this would mean that your computer is compromised and you are in trouble anyway.
-
Eugene Mayevski 'Callback about 13 years@irasenthil "Once I switch it to HTTP, then my identity is up in the air" No, if you use HTTPS-specific cookies, they won't be sent when you switch to HTTP.
-
iraSenthil about 13 years@Eugene //if you use HTTPS-specific cookies, they won't be sent when you switch to HTTP// How server would idnetify me after I switch from HTTPS to HTTP? Would it send two different cookies one for HTTPS and another one for HTTP?
-
Eugene Mayevski 'Callback about 13 years@iraSenthil As I mentioned, from security point of view it's wiser to have all "authenticated" traffic to go through HTTPS, ie. not to switch to HTTP. This is what we do on our site - if you are logged in (which is done only via HTTPS) and visit the site via HTTP, the system just doesn't recognize you. This is intentional to prevent stealing of authentication information itself and information which is available only to authenticated users.