Top
Penetration Testing
Software
Contact
External
  • Also by EnableSecurity
    • SIPVicious
      VoIP Security related blog
    • VOIPSCANNER.com
      An online VoIP scanner which produces a report of security issues in your PBX.
« (not so) random ramblings | Main | Surf Jack - HTTPS will not save you »
Friday
Aug292008

Setting the secure flag in the cookie is easy

DateFriday, August 29, 2008 at 2:17PM
TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details should check out the paper.

The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I'll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.

PHP

bool setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] )

Note that the $secure boolean should be set to true.

JSP / Java Server Pages


Cookie helloCookie = new Cookie("name",text);
helloCookie.setSecure(true);

ASP.NET
HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Joe';

Perl with CGI.pm

(added by Noam)
$cookie = cookie(-name=>’sessionID’,
-value=>’xyzzy’,
-expires=>’+1h’,
-path=>’/cgi-bin/database’,
-domain=>’.capricorn.org’,
-secure=>1);

AuthorSandro Gauci | Comment4 Comments |
tagged , , , in

Reader Comments (4)

Thanks for the information Sandro.

August 29, 2008 | Unregistered CommenterFarid

For perl it is (using CGI.om):
$cookie = cookie(-name=>'sessionID',
-value=>'xyzzy',
-expires=>'+1h',
-path=>'/cgi-bin/database',
-domain=>'.capricorn.org',
-secure=>1);

September 20, 2008 | Unregistered CommenterNoam Rathaus

In ASP.NET you can update the web.config to have cookieRequireSSL="true"

September 24, 2008 | Unregistered CommenterWyatt

there's a workaround, how to securely pass your session from https to http: create a separate session id for http (could be md5(securesessid) ) and make the association in server level. of course, you should not trust the insecure sess id when returnng to https site.

February 11, 2011 | Unregistered CommenterMark in Tallinn

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.