1

Say, I have a website where users are required to login to access certain functionality. Once they are logged in, they are issued an authentication cookie. Some of the pages on the authenticated portion of the website use a secure connection, while others do not.

Is it possible for a man in the middle attack to steal the authentication cookie, if the user hits a page that does not use a secure connection?

Basically - should one always use a secure connection when accessing any part of a website that requires an authentication cookie?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72

2 Answers2

4

A "man in the middle", by definition, sees all traffic between the two victims (client and server) and can alter it at will. SSL (HTTPS) defeats MitM, subject to the usual caveats (the client must not trust a rogue CA, the human user must not click through the browser warnings about an invalid server certificate). If a site is HTTPS-only, then the MitM cannot do anything. If the site is HTTP-only, then the MitM can fake and forge and alter and inspect data at will. If the site is partly HTTPS, then the attacker can play with the non-HTTPS parts.

A cookie value is a value sent by the server, stored on the client, and the client sends it back to the server whenever it talks to it. If the cookie was marked as "Secure" and "HttpOnly" then the cookie will be safe from the MitM (at least, as long as no browser vulnerability is exploited): the cookie will be sent only through HTTPS, and the browse won't make it otherwise accessible (malicious Javascript, injected on the non-HTTPS parts of the site, will not be able to read the cookie either). Of course, this also means that the server will not receive the cookie as part of non-HTTPS requests.

It is hard to make a mixed HTTP/HTTPS site which resists MitM attackers, because you then need some very clear notions of security boundaries; and the MitM is in good position to do a lot of harm through the non-HTTPS parts of the site. Though the "Secure" and "HttpOnly" flags can keep your cookie values out of reach of the attacker, Web site security is not all about cookies (coookies are a tool, not a goal). It is altogether much simpler and much more secure to "bite the bullet" and go HTTPS site-wide.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
2

Yes this is possible. If you do not make sure that your cookies containing session ids or other confidential information for that matter, are passed over an SSL secured connection, you are at risk of a MiTM. So yes it is required.

There is however a way to force cookies over an SSL connection. This can be done (refer to the manual of the webserver/programming language you use) by adding the SECURE flag to all your cookies. If this flag is set, the client's browser will not allow for the cookie being sent over a non-secured connection.

Refer to OWASP - SecureFlag for more information.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196