HTTP页面正在删除我的安全Cookie [英] HTTP pages are removing my secure cookies
问题描述
我有一个混合HTTP / HTTPS的网站。用户登录后,会获得两个cookie:
- 带有她(签名)用户名的常规cookie,登录到期时间和不安全标志
- 带有她(签名)用户名,登录到期时间和安全标志
- 请注意,如果您在签名内容中没有安全/不安全标志,则攻击者可以拦截常规cookie,然后将其作为安全cookie发送(我的第一个实现就犯了这个错误)
我在HTTP页面上使用常规cookie(只是为了在浏览浏览营销部分时显示她的名字)现场)。然后,当她位于HTTPS页面(任何特定于用户的页面)上时,我会使用安全cookie。
我从保护cookie和https / http网站的混合使用情况。
一切正常,只是当用户从HTTPS页面导航到HTTP页面时,所有安全cookie都会被删除-这意味着即使访问单个HTTP页面,他们也无法返回HTTPS页面。我应该提到,有一个 301已永久移动,它将用户从HTTPS重定向到HTTP。
我的网站没有清除安全cookie。我知道浏览器不应在用户查看HTTP站点时向我发送安全cookie,但我希望该cookie会在其生命周期内持续存在,并且如果用户再次进入HTTPS页面会被发送。 / p>
我在Chrome,Firefox和IE上也遇到了同样的问题。有小费吗?我希望这不是预期的行为...
很抱歉,这很令人尴尬。这就是我的问题所在。
- 当用户尝试从HTTP访问HTTPS站点时,他们的请求将以HTTP
- 我将检查他们的登录凭据(由于安全cookie不存在而将失败),然后然后将其重定向到HTTPS。我的要求登录和要求HTTPS系统是分开的(现在设计很糟糕,但是在糟糕的过去,登录cookie并不安全,这很方便)
- 我认为我的安全Cookie被删除了,因为当显示的页面为HTTP时,Chrome Cookie浏览器未显示安全Cookie。饼干一直在那里。
I have a site with mixed HTTP / HTTPS. When the user logs in, she gets two cookies:
- a regular cookie with her (signed) username, login expire time, and an "insecure" flag
- a secure cookie with her (signed) username, login expire time, and a "secure" flag
- note that if you don't have the secure/insecure flag within the signed content, an attacker can intercept the regular cookie and then send it as the secure one (my first implementation made this mistake)
I use the regular cookie on HTTP pages (just for showing her name while she browses the marketing portion of the site). Then I use the secure cookie when she's on HTTPS pages (any user-specific pages).
I got the idea from Secure cookies and mixed https/http site usage.
Everything works great, except that when the user navigates from an HTTPS page to an HTTP one, all of the secure cookies get deleted - which means that they can't go back to HTTPS pages after visiting even a single HTTP page. I should mention that there is a "301 Moved Permanently" that redirects the user to from HTTPS to HTTP.
My site isn't clearing the secure cookie. I know that the browser shouldn't send me the secure cookie while the user is looking at an HTTP site, but I expected the cookie to stick around for its lifetime, and get sent if the user ends up on an HTTPS page again.
I'm getting this same behavior on Chrome, Firefox, and IE. Any tips? I hope this isn't the expected behavior...
Welp, that's embarassing. Here's what my problem turned out to be.
- When the user tried to visit an HTTPS site from an HTTP one, their request would start as HTTP
- I would check their login credentials (which would fail, because the secure cookie wasn't there), then redirect them to HTTPS. My "require login" and "require HTTPS" systems were separate (a bad design now, but it was convenient in the bad old days where the login cookie wasn't secure)
- I thought my secure cookie was being deleted because the Chrome cookie browser doesn't show secure cookies when the page being shown is HTTP. The cookies were there all along.
这篇关于HTTP页面正在删除我的安全Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
