|
Home > Archive > Commerce Server General > November 2004 > Does CS2002 use secure cookies?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Does CS2002 use secure cookies?
|
|
| Martin 2004-10-02, 8:59 pm |
| Hi,
I am hoping that if I use MSCSAuth tickets and have them stored in a cookie
that is set from an https page, that that cookie has the secure attribute
set, causing the browser to only send that cookie over https.
I don't know how this should be mimic-ed with url re-writing other than
having a frame on every page that has https content.
I guess someone is going to say the answer is cookie encryption. How does
that stop cookie replay attacks, with IP spoofing?
Thanks
Martin
| |
| David Messner [MSFT] 2004-11-13, 5:47 pm |
| I searched the source code and find no references to
IWriteCookies::put_Secure so it appears that this attribute is not set in
any case when Authmanager writes cookies.
Yes, this does leave some susceptibility to replay attacks. One suggestion
to mitigate this is to use two separate vroots for the secure and
non-secure parts of your site and only issue AuthTickets for the secure
part (which requires SSL).
Authtickets have a limited time window of validity, which also helps to
mitigate this problem (and they are non-persistent).
-djm
--
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2004 Microsoft Corporation. All rights
reserved.
--------------------
From: "Martin" <x@y.z>
Subject: Does CS2002 use secure cookies?
Date: Sat, 2 Oct 2004 11:12:54 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <e7whjhGqEHA.3900@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: user85.busdsl3.jtibs.net 212.9.31.85
Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.commerceserver.general:14906
X-Tomcat-NG: microsoft.public.commerceserver.general
Hi,
I am hoping that if I use MSCSAuth tickets and have them stored in a cookie
that is set from an https page, that that cookie has the secure attribute
set, causing the browser to only send that cookie over https.
I don't know how this should be mimic-ed with url re-writing other than
having a frame on every page that has https content.
I guess someone is going to say the answer is cookie encryption. How does
that stop cookie replay attacks, with IP spoofing?
Thanks
Martin
|
|
|
|
|