[horde] Cookie Hijacking with Horde/IMP??

[MailingListe]

Zitat von Jan Schneider <jan at horde.org>:

> Zitat von MailingListe <lst_hoe02 at kwsoft.de>:
>
>> Hello
>>
>> in today news there was a article about cookie-hijacking even for   
>> SSL secured connections. As far as i understand it works as follow :
>>
>> Attacker must be able to sniff traffic from client eg. by joining   
>> the same WLAN.
>>
>> Attacker must get the victim to access a link in the domain which   
>> is running the secured site with "http" instead of "https" eg. by   
>> sending a link in mail.
>>
>> With this the session can be stolen by Hijacking the cookie which   
>> is transfered unencrypted to the fake-link. This can only be   
>> prevented by using "secure-cookies".
>
> I guess if you have someone successfully sniffing your LAN, you have
> much worse problems than sending cookie over unencrypted HTTP.

*WLAN* A common scenario if you are using a HotSpot in the  
airport/hotel where-ever. They often use no "line" encryption or  
something weak like WEP so sniffing is easily possible.

>> I found the setting "session.cookie_secure" in php.ini but as far   
>> as i know this will prevent the cookie from being transmitted over   
>> unencrypted link.
>>
>> The question is now :
>>
>> - What happens if we allow "http". Will these clients use   
>> URL-cookies or are they not able to access IMP/Horde anymore   
>> without "https"?
>> - Is the setting used or reset by "session_set_cookie_params" in   
>> teh Horde code anyway?
>
> Why don't you test it and tell us?

Maybe someone already investigated in this so corner so i decided to  
ask first...
But yes, i will have a look and thanks for the useful hints.


Andreas