Security team identified following flaw – Session Cookie without Secure flag set
http://www.enablesecurity.com/blog/2008/8/29/setting-the-secure-flag-in-the-cookie-is-easy.html
Original article on TechRepublic
http://www.techrepublic.com/blog/networking/https-surf-jacking-makes-it-vulnerable/634
TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details shouldcheck out the paper.
The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I’ll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.
bool setcookie ( string $name [, string $value [, int$expire [, string $path [, string $domain [, bool$secure [, bool $httponly ]]]]]] )
Cookie helloCookie = new Cookie(„name“,text);
helloCookie.setSecure(true);
HttpCookie cookie = new HttpCookie(‚name‘);
cookie.Secure = True;
cookie.Value = ‚Joe‘;
(added by Noam)
$cookie = cookie(-name=>’sessionID’,
-value=>’xyzzy’,
-expires=>’+1h’,
-path=>’/cgi-bin/database’,
-domain=>’.capricorn.org’,
-secure=>1);
In ASP.NET you can update the web.config to have cookieRequireSSL=“true“
