Say you only want to send cookies over HTTPS to the client - not over HTTP. You could use the HTTP secure flags as mentioned in this article. However, since you can use the Apache mod_rewrite module to send a redirect to the user from the HTTP version of your site to the HTTPS version, shouldn't that mean that it will secure the cookies? In other words, does the server send your cookies if its sending out a redirect?
If you are redirecting from HTTP to HTTPS and then set cookies, these cookies will be set over HTTPS. Say you redirect the user from http://www.example.com to https://www.example.com, the Set-Cookie header sent from www.example.com to the user will be encrypted during transport.
However, if the user comes back and enters http://www.example.com in their browser, if the Secure Flag was not set on the cookie, the cookie will be sent over HTTP, unencrypted.
This can also happen if any internal links on your site are HTTP, any links on other sites to yours are HTTP or if a MITM attacker injects a HTTP resource from your site on another site (e.g. <img src="http://www.example.com/x.jpg" /> will leak the cookie over HTTP).
This is why it is advisable to set the secure flag. HSTS can be used to help ensure connections remain on HTTPS only, however setting the secure flag should be the primary focus.
Related
We have an azure website, where we have the https only setting turned on, and we also have url rewrite rules set up as well so that when you go to our site at http://example.com (we have a custom domain that is secured with a cert using IP SSL - both example.com and www.example.com), you get redirected to https://example.com. When using a web browser, this clearly works. However, when using a tool such as Postman or vulnerability scanning, such as ZAP, the server is clearly responding to http and not redirecting the request to https. We are currently failing a vulnerability scan due to this, and we cannot figure out what else to do to get the site to force https. As I said, it works when using a web browser, but not with direct web requests from non-browser tools. Thanks!
In our project, we are trying to integrate cookie-based authentication for content accessed using cloudfront cdn. Lets say that my application domain is A.com and is being accessed from B.com. A.com's content is served via cloudfont cdn. Now B.com wants to access content from secure cloudfront cdn. Generally B.com requests A.com for content. A.com redirects the request to cloudfront cdn. B.com has to send the authentication information to cloudfront.net via cookies with the redirected request.
see this for an elaborate diagram.
Now, I am setting the cookies in the response header of the initial request but am unable to find it in the redirected request header to cloudfront.net domain. As a result I am getting a 403 response and unable to access the content.
A.com can set the necessary cookies in the user's browser who is visiting application hosted in B.com domain. These third party cookies will be stored in the user's browser. When you will access the A.com domain again, the the stored third party cookies will be sent by the user's browser automatically with the request.
I can see that you want to send the A.com domain cookies to cloudfront.net domain and the browser will not allow it. Since the required cookies are not sent with the redirected request to cloudfront.net, the request is returning a 403 forbidden response.
If you own both the cdn distribution and the A.com domain, then you may create a cname say cdn.A.com which will point to your cdn distribution.
Now when the request is redirected to cdn.A.com to fetch the content, the necessary third party cookies will be sent across along with the request and the files could be accessed without any issues.
I am using express-session module for maintain session. i have two app. i want to share cookies with this apps, parent app run in example.com , and child app run in child.example.com. i set httponly cookie using express-session it sets in the child app.i can verified that cookie in resource tab in chrome debugger.
Network tab:
When the first call to sub-domain:
it load like "http://www.child.example.com" cookie set in the request. while the url is redirect to server IP . cookie not available after that.
like http://13.25.230.2/index cookie not avaliable on that
When you send the Set-Cookie HTTP header, you can specify the domain it is for.
Set-Cookie: name=value; domain=example.com
The domain must be a suffix of the domain hosting the page.
i.e. foo.example.com, bar.baz.example.com and www.example.com can all share a cookie belonging to example.com.
A URL using an IP address has no hostname in it at all and cannot match that rule.
There is no way to share your cookie between example.com and 13.25.230.2. Give the site a hostname instead.
There is no way you can set cookie using setcookie header from one host to another. For example from example.com to foobar.com.
If you have to do it. Then do it by passing the cookie value to server side script for example foobar.com\set-my-cookie.php and use to to save the cookie.
Httponly cookies cannot be set or read from client side code.
I have server, running some number of sites.
For example: example.com a.example.com b.example.com
All sites are routed via nginx to unix domain-sockets.
Each of sites is gunicorn instance.
Can applications from subdomains read/write cookie data from example.com or from other subdomains?
If yes, how to disable it?
Sure, you can use separate cookies for the subdomain. The Cookie standards allow you to set a domain, which will be the only domain that browsers will send the cookie back to. You can set "a.example.com" as the domain, and browsers will only send cookies from that domain back to that domain.
From my reading of RFC 2965 for cookies, "a.example.com" cannot set a cookie for "b.example.com", only "example.com".
I think the bottom line is to be sure that you are are using the "domain" property of cookies to set cookies for the subdomain, and not just "example.com", which all subdomains could read and write to.
I am having two domains.One is secured and the other is not.Currently,when the user submits form data i redirect the the user to this secure website to collect further details.This redirection is made secure by means of cross domain cookies.
Now,instead of redirecting to the secure page i am planning to load the secure page in an iframe.But i am not aware of the security measures to be taken up to secure this communication via iframe.How to ensure that this communication is secured?Will setting cross-domain cookies solve the problem?
I send a pixel request from non-secure to secure site,which inturn drops a cookie with its domain and sends back the pixel as mean of successful response. Now when the real request comes from non-secure site, i check for the cookie and it's domain therby creating a secure environment and also made the page in secure site a one time vist page.