Re: [PHP] Is session_start() using encrypted cookies with HTTPS
On Tue, Nov 9, 2010 at 2:10 PM, Adam Richardson wrote: >> >> If the cookie needs to be encrypted, why not just encrypt it and worry less >> about the transport layer? Or just down one hash value id cookie and pull >> back the secure data for action just on the server? >> >> Bastien > > > The issue highlighted in Yannick's question wouldn't be resolved by merely > encrypting the cookie value. > > Encrypting a cookie value protects the value encrypted, and for some > situations this is exactly what you want. Maybe you're storing preferences > for your app, but want to make sure they aren't tampered with, etc. > > However, encrypting a cookie that's used as an auth token won't buy you > anything if the transport layer doesn't provide encryption. That's because > an auth token mere presence works to sufficiently identify an authenticated > user. I don't have to know what the value in the cookie means in any way. > > Does this help clear up your question, or did I misunderstand you, Bastien? > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com > Nope, makes sense, Adam. Thanks, -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is session_start() using encrypted cookies with HTTPS
> > If the cookie needs to be encrypted, why not just encrypt it and worry less > about the transport layer? Or just down one hash value id cookie and pull > back the secure data for action just on the server? > > Bastien The issue highlighted in Yannick's question wouldn't be resolved by merely encrypting the cookie value. Encrypting a cookie value protects the value encrypted, and for some situations this is exactly what you want. Maybe you're storing preferences for your app, but want to make sure they aren't tampered with, etc. However, encrypting a cookie that's used as an auth token won't buy you anything if the transport layer doesn't provide encryption. That's because an auth token mere presence works to sufficiently identify an authenticated user. I don't have to know what the value in the cookie means in any way. Does this help clear up your question, or did I misunderstand you, Bastien? Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
Re: [PHP] Is session_start() using encrypted cookies with HTTPS
On 2010-11-08, at 9:58 AM, Adam Richardson wrote: >> >> Couldn't Yannick also use $_SERVER['HTTPS'] and take action for the >> session >> and cookies accordingly? >> >> Regards, >> Tommy > > > Not to my understanding. > > When a visitor makes a request, the browser must determine which cookies are > appropriate for transmitting in the request. By the time PHP processes the > request, it's too late if a packet sniffer has intercepted an unencrypted > request. Even if you carefully use $_SERVER['HTTP'] to manually set up > session tracking with your own cookie, subsequent unencrypted requests would > be vulnerable without the flag. > > The secure flag for cookies is precisely for situations where you want to > help the browser understand that a particular cookie should be protected. > However, people can run into trouble by assuming that this automatically > means that a cookie is only transmitted over HTTPS requests. For most > browsers, this is the default behavior, but the RFC isn't as demanding as > one might expect: > > http://www.ietf.org/rfc/rfc2965.txt > > === > > Secure > > OPTIONAL. > > The Secure attribute (with no value) directs the user > agent to use only (unspecified) secure means to contact the origin > server whenever it sends back this cookie, to protect the > confidentially and authenticity of the information in the cookie. > *The user agent (possibly with user interaction) MAY determine what > level of security it considers appropriate for "secure" cookies > [emphasis added]*. The Secure attribute should be considered security > advice from the server to the user agent, indicating that it is in the > session's interest to protect the cookie contents. When it sends a > "secure" cookie back to a server, *the user agent SHOULD use no less > than the same level of security as was used when it received the > cookie from the server [emphasis added]*. > > = > > So, use the flag, but remember it's not a fix-all. > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com If the cookie needs to be encrypted, why not just encrypt it and worry less about the transport layer? Or just down one hash value id cookie and pull back the secure data for action just on the server? Bastien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is session_start() using encrypted cookies with HTTPS
> > Couldn't Yannick also use $_SERVER['HTTPS'] and take action for the > session > and cookies accordingly? > > Regards, > Tommy Not to my understanding. When a visitor makes a request, the browser must determine which cookies are appropriate for transmitting in the request. By the time PHP processes the request, it's too late if a packet sniffer has intercepted an unencrypted request. Even if you carefully use $_SERVER['HTTP'] to manually set up session tracking with your own cookie, subsequent unencrypted requests would be vulnerable without the flag. The secure flag for cookies is precisely for situations where you want to help the browser understand that a particular cookie should be protected. However, people can run into trouble by assuming that this automatically means that a cookie is only transmitted over HTTPS requests. For most browsers, this is the default behavior, but the RFC isn't as demanding as one might expect: http://www.ietf.org/rfc/rfc2965.txt === Secure OPTIONAL. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie, to protect the confidentially and authenticity of the information in the cookie. *The user agent (possibly with user interaction) MAY determine what level of security it considers appropriate for "secure" cookies [emphasis added]*. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. When it sends a "secure" cookie back to a server, *the user agent SHOULD use no less than the same level of security as was used when it received the cookie from the server [emphasis added]*. = So, use the flag, but remember it's not a fix-all. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
RE: [PHP] Is session_start() using encrypted cookies with HTTPS
> -Original Message- > From: Adam Richardson [mailto:simples...@gmail.com] > Sent: Sunday, November 07, 2010 2:22 PM > To: PHP-General > Subject: Re: [PHP] Is session_start() using encrypted cookies with HTTPS > > On Sun, Nov 7, 2010 at 2:39 PM, Yannick Warnier > wrote: > > > Hi all, > > > > It came to my attention through the Netcraft newsletter[1] that > > cookies in a web application are not always sent encrypted when a > > server is contacted through HTTPS. > > > > Not quite. Requests and responses over HTTPS are encrypted, including the > cookie header. However, in the resource you cited, there were security > issues because auth cookies were sent even over standard requests. The > browser has to be told (through the flag) that the cookie should only be sent > on encrypted requests. > > > > > > Would someone know the internals of that function and whether there is > > a way to force it to secure=true when the connection is made through > > HTTPS? Or maybe my question doesn't make sense because I am missing > > the point on how it works? > > > > Call this function with the appropriate settings before you call > session_start() (or make some changes to php.ini): > http://php.net/manual/en/function.session-set-cookie-params.php > > > > > > I develop an open-source application which can be used through both > > HTTP and HTTPS, so I'm a bit worried about not having this question > > answered in the doc for session_start(). > > > > Perhaps a link could be added to the documentation, although the function > session_set_cookie_params() does appear in the secondary navigation in > the left column, and not all sessions use cookies. > > > > > > Thanks, > > > > Yannick Warnier > > > > [1] > > > > http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-r > > emains-firesheepable.html > > [2] http://www.php.net/setcookie > > [3] http://www.php.net/session-start > > > > Hope this helps, > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com Couldn't Yannick also use $_SERVER['HTTPS'] and take action for the session and cookies accordingly? Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is session_start() using encrypted cookies with HTTPS
On Sun, Nov 7, 2010 at 2:39 PM, Yannick Warnier wrote: > Hi all, > > It came to my attention through the Netcraft newsletter[1] that cookies > in a web application are not always sent encrypted when a server is > contacted through HTTPS. > Not quite. Requests and responses over HTTPS are encrypted, including the cookie header. However, in the resource you cited, there were security issues because auth cookies were sent even over standard requests. The browser has to be told (through the flag) that the cookie should only be sent on encrypted requests. > > Would someone know the internals of that function and whether there is a > way to force it to secure=true when the connection is made through > HTTPS? Or maybe my question doesn't make sense because I am missing the > point on how it works? > Call this function with the appropriate settings before you call session_start() (or make some changes to php.ini): http://php.net/manual/en/function.session-set-cookie-params.php > > I develop an open-source application which can be used through both HTTP > and HTTPS, so I'm a bit worried about not having this question answered > in the doc for session_start(). > Perhaps a link could be added to the documentation, although the function session_set_cookie_params() does appear in the secondary navigation in the left column, and not all sessions use cookies. > > Thanks, > > Yannick Warnier > > [1] > > http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html > [2] http://www.php.net/setcookie > [3] http://www.php.net/session-start > Hope this helps, Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
[PHP] Is session_start() using encrypted cookies with HTTPS
Hi all, It came to my attention through the Netcraft newsletter[1] that cookies in a web application are not always sent encrypted when a server is contacted through HTTPS. Looking at the setcookie()[2] documentation, there is effectively a specific parameter (set to false by default). The description of this parameter says: "Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"])." This part is clear. No problem with that. However, my application relies on the session_start()[3] function, which doesn't say anything about the potential differences in behaviour between a secure and a non-secure connection (ie HTTPS or HTTP) when the session identifier is set to be passed through cookies. However, the session ID is still passed through a cookie, so somehow the cookie must be set with a decision on whether the mode is secure or not. Would someone know the internals of that function and whether there is a way to force it to secure=true when the connection is made through HTTPS? Or maybe my question doesn't make sense because I am missing the point on how it works? I develop an open-source application which can be used through both HTTP and HTTPS, so I'm a bit worried about not having this question answered in the doc for session_start(). Thanks, Yannick Warnier [1] http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html [2] http://www.php.net/setcookie [3] http://www.php.net/session-start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php