[horde] Cookie Hijacking with Horde/IMP??
MailingListe
lst_hoe02 at kwsoft.de
Tue Aug 12 15:34:29 UTC 2008
Hello
in today news there was a article about cookie-hijacking even for SSL
secured connections. As far as i understand it works as follow :
Attacker must be able to sniff traffic from client eg. by joining the
same WLAN.
Attacker must get the victim to access a link in the domain which is
running the secured site with "http" instead of "https" eg. by sending
a link in mail.
With this the session can be stolen by Hijacking the cookie which is
transfered unencrypted to the fake-link. This can only be prevented by
using "secure-cookies".
I found the setting "session.cookie_secure" in php.ini but as far as i
know this will prevent the cookie from being transmitted over
unencrypted link.
The question is now :
- What happens if we allow "http". Will these clients use URL-cookies
or are they not able to access IMP/Horde anymore without "https"?
- Is the setting used or reset by "session_set_cookie_params" in teh
Horde code anyway?
A Link to some discussion on this problem is
http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Thanxs for any comment/hint
Regards
Andreas
--
All your trash belong to us ;-) www.spamschlucker.org
To: stephan at spamschlucker.org
More information about the horde
mailing list