On 2010-11-08, at 9:58 AM, Adam Richardson <simpleshot@xxxxxxxxx> wrote: >> >> Couldn't Yannick also use $_SERVER['HTTPS'] and take action for the >> session >> and cookies accordingly? >> >> Regards, >> Tommy > > > Not to my understanding. > > When a visitor makes a request, the browser must determine which cookies are > appropriate for transmitting in the request. By the time PHP processes the > request, it's too late if a packet sniffer has intercepted an unencrypted > request. Even if you carefully use $_SERVER['HTTP'] to manually set up > session tracking with your own cookie, subsequent unencrypted requests would > be vulnerable without the flag. > > The secure flag for cookies is precisely for situations where you want to > help the browser understand that a particular cookie should be protected. > However, people can run into trouble by assuming that this automatically > means that a cookie is only transmitted over HTTPS requests. For most > browsers, this is the default behavior, but the RFC isn't as demanding as > one might expect: > > http://www.ietf.org/rfc/rfc2965.txt > > =================================== > > Secure > > OPTIONAL. > > The Secure attribute (with no value) directs the user > agent to use only (unspecified) secure means to contact the origin > server whenever it sends back this cookie, to protect the > confidentially and authenticity of the information in the cookie. > *The user agent (possibly with user interaction) MAY determine what > level of security it considers appropriate for "secure" cookies > [emphasis added]*. The Secure attribute should be considered security > advice from the server to the user agent, indicating that it is in the > session's interest to protect the cookie contents. When it sends a > "secure" cookie back to a server, *the user agent SHOULD use no less > than the same level of security as was used when it received the > cookie from the server [emphasis added]*. > > ========================================= > > So, use the flag, but remember it's not a fix-all. > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com If the cookie needs to be encrypted, why not just encrypt it and worry less about the transport layer? Or just down one hash value id cookie and pull back the secure data for action just on the server? Bastien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
