Setting the secure flag in the cookies

Security team identified following flaw – Session Cookie without Secure flag set

http://www.enablesecurity.com/blog/2008/8/29/setting-the-secure-flag-in-the-cookie-is-easy.html

Original article on TechRepublic

http://www.techrepublic.com/blog/networking/https-surf-jacking-makes-it-vulnerable/634

TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details shouldcheck out the paper.

The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I’ll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.

PHP

bool setcookie ( string $name [, string $value [, int$expire [, string $path [, string $domain [, bool$secure [, bool $httponly ]]]]]] )

Note that the $secure boolean should be set to true.

Cookie helloCookie = new Cookie(„name“,text);
helloCookie.setSecure(true);

ASP.NET

HttpCookie cookie = new HttpCookie(‚name‘);
cookie.Secure = True;
cookie.Value = ‚Joe‘;

Perl with CGI.pm

(added by Noam)

$cookie = cookie(-name=>’sessionID’,
-value=>’xyzzy’,
-expires=>’+1h’,
-path=>’/cgi-bin/database’,
-domain=>’.capricorn.org’,
-secure=>1);

In ASP.NET you can update the web.config to have cookieRequireSSL=“true“

Jan D.
Jan D.

"The only real security that a man will have in this world is a reserve of knowledge, experience, and ability."

Articles: 679