On Thu, Apr 14, 2016 at 1:54 AM, Chris Peterson <cpeter...@mozilla.com> wrote:
> Summary: Treat cookies set over non-secure HTTP as session cookies > > Exactly one year ago today (!), Henri Sivonen proposed [1] treating > cookies without the `secure` flag as session cookies. > > PROS: > > * Security: login cookies set over non-secure HTTP can be sniffed and > replayed. Clearing those cookies at the end of the browser session would > force the user to log in again next time, reducing the window of > opportunity for an attacker to replay the login cookie. To avoid this, > login-requiring sites should use HTTPS for at least their login page that > set the login cookie. > Wouldn't that only be true for sites that limit users to one login session at a time? For sites that allow more than one login session, when the user logs in again each time, the original session cookie would not be invalidated until the site decides to forget it. So if an attacker sniffed the login cookie, they could replay it even after the user logged in again. I know I have persistent logins to some sites on more than one computer, but don't know how typical that is. Haik _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
