Summary: Treat cookies set over non-secure HTTP as session cookies

Exactly one year ago today (!), Henri Sivonen proposed [1] treating cookies without the `secure` flag as session cookies.

PROS:

* Security: login cookies set over non-secure HTTP can be sniffed and replayed. Clearing those cookies at the end of the browser session would force the user to log in again next time, reducing the window of opportunity for an attacker to replay the login cookie. To avoid this, login-requiring sites should use HTTPS for at least their login page that set the login cookie.

* Privacy: most ad networks still use non-secure HTTP. Content sites that use these ad networks are prevented from deploying HTTPS themselves because of HTTP/HTTPS mixed content breakage. Clearing user-tracking cookies set over non-secure HTTP at the end of every browser session would be a strong motivator for ad networks to upgrade to HTTPS, which would unblock content sites' HTTPS rollouts.

However, my testing of Henri's original proposal shows that too few sites set the `secure` cookie flag for this to be practical. Even sites that primarily use HTTPS, like google.com, omit the `secure` flag for many cookies set over HTTPS.

Instead, I propose treating all cookies set over non-secure HTTP as session cookies, regardless of whether they have the `secure` flag. Cookies set over HTTPS would be treated as "secure so far" and allowed to persist beyond the current browser session. This approach could be tightened so any "secure so far" cookies later sent over non-secure HTTP could be downgraded to session cookies. Note that Firefox's session restore will persist "session" cookies between browser restarts for the tabs that had been open. (This is "eternal session" feature/bug 530594.)

To test my proposal, I loaded the home pages of the Alexa Top 25 News sites [2]. These 25 pages set over 1300 cookies! Fewer than 200 were set over HTTPS and only 7 had the `secure` flag. About 900 were third-party cookies. Treating non-secure cookies as session cookies means that over 1100 cookies would be cleared at the end of the browser session!

CONS:

* Sites that allow users to configure preferences without logging into an account would forget the users' preferences if they are not using HTTPS. For example, companies that have regional sites would forget the user's selected region at the end of the browser session.

* Ad networks' opt-out cookies (for what they're worth) set over non-secure HTTP would be forgotten at the end of the browser session.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1160368

Link to standard: N/A

Platform coverage: All platforms

Estimated or target release: Firefox 49

Preference behind which this will be implemented: network.cookie.lifetime.httpSessionOnly

Do other browser engines implement this? No

[1] https://groups.google.com/d/msg/mozilla.dev.platform/xaGffxAM-hs/aVgYuS3QA2MJ
[2] http://www.alexa.com/topsites/category/Top/News
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to