[horde] Cookie Hijacking with Horde/IMP??

Jan Schneider jan at horde.org
Wed Aug 13 07:35:24 UTC 2008 

Zitat von MailingListe <lst_hoe02 at kwsoft.de>:

> Zitat von Jan Schneider <jan at horde.org>:
>
>> Zitat von MailingListe <lst_hoe02 at kwsoft.de>:
>>
>>> Hello
>>>
>>> in today news there was a article about cookie-hijacking even for   
>>> SSL secured connections. As far as i understand it works as follow :
>>>
>>> Attacker must be able to sniff traffic from client eg. by joining   
>>> the same WLAN.
>>>
>>> Attacker must get the victim to access a link in the domain which   
>>> is running the secured site with "http" instead of "https" eg. by   
>>> sending a link in mail.
>>>
>>> With this the session can be stolen by Hijacking the cookie which   
>>> is transfered unencrypted to the fake-link. This can only be   
>>> prevented by using "secure-cookies".
>>
>> I guess if you have someone successfully sniffing your LAN, you have
>> much worse problems than sending cookie over unencrypted HTTP.
>
> *WLAN* A common scenario if you are using a HotSpot in the  
> airport/hotel where-ever. They often use no "line" encryption or  
> something weak like WEP so sniffing is easily possible.
>
>>> I found the setting "session.cookie_secure" in php.ini but as far   
>>> as i know this will prevent the cookie from being transmitted over  
>>>  unencrypted link.
>>>
>>> The question is now :
>>>
>>> - What happens if we allow "http". Will these clients use   
>>> URL-cookies or are they not able to access IMP/Horde anymore   
>>> without "https"?
>>> - Is the setting used or reset by "session_set_cookie_params" in   
>>> teh Horde code anyway?
>>
>> Why don't you test it and tell us?
>
> Maybe someone already investigated in this so corner so i decided to  
> ask first...
> But yes, i will have a look and thanks for the useful hints.

Btw, we alread *do* set the secure cookie flag if Horde has been setup  
to be served over HTTPS only. This is the same behavior that Google  
Mail has, that only sets the secure flag if you set in your options to  
always use HTTPS for all authentication requests.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the horde mailing list