Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jason (security_at_brvenik.com)
Date: Fri Jul 26 2002 - 12:08:30 CDT
The IE "bug" is not a bug and IIRC introduced to overcome another _bug_
in the IE implementation if SSL. There is no requirement that a session
be resumed in SSL or TLS.
To your question though,
SSL only protects the content in transit, it will not prevent the cookie
from being stolen once the browser has it. It will also not prevent a
Cross Site Scripting attack from providing the cookie to an attacker.
There are also local file reading, clipboard copy... issues in IE that
make the cookie available if someone really wants it.
Bottom line is that if security is that much of a concern then you will
not be using cookies to authenticate and will instead use a stronger
method like client Certs.
It is even more difficult to steal Basic Auth credentials over an SSL
session than it is to steal a cookie. Use the cookie to maintain
preferences... but nothing related to authentication or authorization if
security is an issue.
Bryan Ponnwitz wrote:
> Am I missing something here? It seems like, although not necessary, the
> IE 5.x "bug" isn't such a bad thing. As Mike Gemony pointed out, if
> you're using SSL, then cookies are encrypted anyway; so you should be
> stealing them. So why even bother to think about the SSL session ID?
> When I develop web apps for secure servers, I even develop them on a
> non-secure server first, and then just copy it over since SSL is
> invisible to the programmer. Unless there's something wrong with what
> I'm thinking, I don't really see the issue.
> Bryan Ponnwitz
> Webmaster - Broome-Tioga Boces
> (607) 763-3609