Security: cookie hijack even with HTTPS

All about webserver configurations, PHP and databases.

Moderator: Thorsten

Post Reply
pt20100201
Posts: 134
Joined: Mon Feb 01, 2010 2:11 pm
Location: Porto . Portugal
Contact:

Security: cookie hijack even with HTTPS

Post by pt20100201 »

Security: cookie hijack even with HTTPS

Hi All

This is not a phpMyFAQ problem (and most – if not all – readers on this forum are likely to know this).

HTTP support for secure login (a very useful feature) was implemented in the phpMyFAQ 2.6.x series (thanks to the Development Team and to Tobias Hommel – that first suggested it and sent sample code).

In some circumstances it is possible to hijack cookies even when HTTPS is used.
This happens (for instance) if cookies aren’t marked as secure by the server.

Some user-side browser protection software (e.g. NoScript for Firefox) may force cookies to be marked as secure. However, this action should be performed on the origin (that is, on the server).

In our situation (apart from other security measures), editing the php.ini and (simply) changing the value from 0 to 1 in one line activates this cookie behavior.

The changed line:

Code: Select all

session.cookie_secure = 1
In your case it may be necessary to perform other steps/actions on some configuration files.
If sensitive data is being served, a more reliable system is needed (naturally).

Note: one could also use HTTP ETag

Kind regards
2010-02-09
Pt20100201
Post Reply