[horde] Cookie Hijacking with Horde/IMP??

Jan Schneider jan at horde.org
Tue Aug 12 16:27:50 UTC 2008


Zitat von MailingListe <lst_hoe02 at kwsoft.de>:

> Hello
>
> in today news there was a article about cookie-hijacking even for  
> SSL secured connections. As far as i understand it works as follow :
>
> Attacker must be able to sniff traffic from client eg. by joining  
> the same WLAN.
>
> Attacker must get the victim to access a link in the domain which is  
> running the secured site with "http" instead of "https" eg. by  
> sending a link in mail.
>
> With this the session can be stolen by Hijacking the cookie which is  
> transfered unencrypted to the fake-link. This can only be prevented  
> by using "secure-cookies".

I guess if you have someone successfully sniffing your LAN, you have  
much worse problems than sending cookie over unencrypted HTTP.

> I found the setting "session.cookie_secure" in php.ini but as far as  
> i know this will prevent the cookie from being transmitted over  
> unencrypted link.
>
> The question is now :
>
> - What happens if we allow "http". Will these clients use  
> URL-cookies or are they not able to access IMP/Horde anymore without  
> "https"?
> - Is the setting used or reset by "session_set_cookie_params" in teh  
> Horde code anyway?

Why don't you test it and tell us?

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the horde mailing list