[Discussion] Should cookies be secure

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Discussion] Should cookies be secure

Jolle Carlestam-2
While on the subject of cookies.
How important is it to use the param -secure for cookies that are used by https sites?

All my production sites are nowadays published as https only. But I have not troubled myself on tweaking the cookies used. Maybe time to correct this.
One issue being that while developing locally I not using https. So I can’t just do

web_response -> setcookie(
        ’mycookie' = #cookie_value,
        -domain = server_name,
        -expires = #cookiedate,
        -path = ’/’,
        -secure
)

I need to have a convenient and fast way to check if this is published thru a non https site or not.

Any other thing I should do while creating cookies to make them secure and reliable?

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Brad Lindsay
There’s always [web_request->isHttps] to check for https.

Brad

On January 12, 2015 at 8:08:01 AM, Jolle Carlestam ([hidden email]) wrote:

> While on the subject of cookies.
> How important is it to use the param -secure for cookies that are used by https sites?
>  
> All my production sites are nowadays published as https only. But I have not troubled  
> myself on tweaking the cookies used. Maybe time to correct this.
> One issue being that while developing locally I not using https. So I can’t just do
>  
> web_response -> setcookie(
> ’mycookie' = #cookie_value,
> -domain = server_name,
> -expires = #cookiedate,
> -path = ’/’,
> -secure
> )
>  
> I need to have a convenient and fast way to check if this is published thru a non https site  
> or not.
>  
> Any other thing I should do while creating cookies to make them secure and reliable?
>  
> HDB
> Jolle
>  
> #############################################################
>  
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to:  
> Send administrative queries to  
>  


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Dave Bruhn
In reply to this post by Jolle Carlestam-2
When I do my dev work, it's all on my local machine.  I don't use https in that environment because, in my usage, there's simply no point.  Forcing https in my Lasso code would end up causing more problems than it would solve, as most of the URLs I use for development look like www.dev or qds.dev.

We utilize an Apache redirect that redirects all web requests from http to https.  Problem solved.

Dave
---
Dave Bruhn
Systems Analyst
North Carolina Hospital Association
PO Box 4449
Cary, NC 27519-4449
919-677-4145 (office)
[hidden email]
http://www.ncha.org

On Jan 12, 2015, at 8:07 AM, Jolle Carlestam <[hidden email]> wrote:

> While on the subject of cookies.
> How important is it to use the param -secure for cookies that are used by https sites?
>
> All my production sites are nowadays published as https only. But I have not troubled myself on tweaking the cookies used. Maybe time to correct this.
> One issue being that while developing locally I not using https. So I can’t just do
>
> web_response -> setcookie(
> ’mycookie' = #cookie_value,
> -domain = server_name,
> -expires = #cookiedate,
> -path = ’/’,
> -secure
> )
>
> I need to have a convenient and fast way to check if this is published thru a non https site or not.
>
> Any other thing I should do while creating cookies to make them secure and reliable?
>
> HDB
> Jolle
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Jolle Carlestam-2
12 jan 2015 kl. 15:25 skrev Dave Bruhn <[hidden email]>:

> We utilize an Apache redirect that redirects all web requests from http to https.  Problem solved.

Does it solve ”problems” with cookies not set to only work with https? I do the same redirect scheme. But I’m not tech security savvy enough to know if this poses a problem.

Me thinks that this would be the correct setup

web_response -> setcookie(
        ’mycookie' = #cookie_value,
        -domain = server_name,
        -expires = #cookiedate,
        -path = ’/’,
        -secure
)

instead of

web_response -> setcookie(
        ’mycookie' = #cookie_value,
        -domain = server_name,
        -expires = #cookiedate,
        -path = ’/’
)

But maybe I’m overcautious.

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Bil Corry-3
In reply to this post by Jolle Carlestam-2
It's very important to use -secure, otherwise an attacker on the same
network can trick your browser into revealing the cookie.  The secure flag
prevents that.

Also recommend using the httponly flag too, unless you need JavaScript to
access the cookie.


- Bil


On Mon, Jan 12, 2015 at 2:07 PM, Jolle Carlestam <[hidden email]>
wrote:

> While on the subject of cookies.
> How important is it to use the param -secure for cookies that are used by
> https sites?
>
> All my production sites are nowadays published as https only. But I have
> not troubled myself on tweaking the cookies used. Maybe time to correct
> this.
> One issue being that while developing locally I not using https. So I
> can’t just do
>
> web_response -> setcookie(
>         ’mycookie'      = #cookie_value,
>         -domain         = server_name,
>         -expires        = #cookiedate,
>         -path           = ’/’,
>         -secure
> )
>
> I need to have a convenient and fast way to check if this is published
> thru a non https site or not.
>
> Any other thing I should do while creating cookies to make them secure and
> reliable?
>
> HDB
> Jolle
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Jolle Carlestam-2
12 jan 2015 kl. 17:28 skrev Bil Corry <[hidden email]>:

> It's very important to use -secure, otherwise an attacker on the same
> network can trick your browser into revealing the cookie.  The secure flag
> prevents that.

I was kinda expecting Bil to chime in with this answer. :-)

> Also recommend using the httponly flag too, unless you need JavaScript to
> access the cookie.

Would love to, but, it does not look like Lasso 9 have a param for httponly when setting a cookie.

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Bil Corry-3
Then I suggest adding it as a feature request.  Without it, an attacker can
read the cookie contents via XSS.


- Bil

On Mon, Jan 12, 2015 at 5:42 PM, Jolle Carlestam <[hidden email]>
wrote:

> 12 jan 2015 kl. 17:28 skrev Bil Corry <[hidden email]>:
>
> > It's very important to use -secure, otherwise an attacker on the same
> > network can trick your browser into revealing the cookie.  The secure
> flag
> > prevents that.
>
> I was kinda expecting Bil to chime in with this answer. :-)
>
> > Also recommend using the httponly flag too, unless you need JavaScript to
> > access the cookie.
>
> Would love to, but, it does not look like Lasso 9 have a param for
> httponly when setting a cookie.
>
> HDB
> Jolle
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Jolle Carlestam-2
12 jan 2015 kl. 17:46 skrev Bil Corry <[hidden email]>:

> Then I suggest adding it as a feature request.  Without it, an attacker can
> read the cookie contents via XSS.

But, of course, already done.
http://www.lassosoft.com/rhinotrac?id=7935

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

stevepiercy
In reply to this post by Jolle Carlestam-2
On 1/12/15 at 2:07 PM, [hidden email] (Jolle Carlestam) pronounced:

>While on the subject of cookies.
>How important is it to use the param -secure for cookies that are used by https sites?
>
>All my production sites are nowadays published as https only.
>But I have not troubled myself on tweaking the cookies used.
>Maybe time to correct this.

If production has HTTPS, I have HTTPS in my sandbox, to avoid
writing code around '-secure' or not.

Creating a self-signed certificate is fairly easy.  Here are
instructions for CentOS that I use in development (shared)
servers and which equally apply for Mac sandboxes.
http://wiki.centos.org/HowTos/Https

To make that easier, with Apache 2.2.12 and later, you can use
Server Name Identification, and use a single IP address and
self-signed certificate for multiple websites.  Just add this to
your ssl.conf:

NameVirtualHost *:443

...and for each unique IP, replace this:

<VirtualHost 12.34.56.79:443>

...with this.

<VirtualHost *:443>

>One issue being that while developing locally I not using https. So I can’t just do
>
>web_response -> setcookie(
>’mycookie'  = #cookie_value,
>-domain     = server_name,
>-expires    = #cookiedate,
>-path       = ’/’,
>-secure
>)
>
>I need to have a convenient and fast way to check if this is
>published thru a non https site or not.

server_port == 443 ?

--steve

>Any other thing I should do while creating cookies to make them secure and reliable?
>
>HDB
>Jolle
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Brad Lindsay
On January 12, 2015 at 3:04:29 PM, Steve Piercy - Website Builder ([hidden email]) wrote:
> If production has HTTPS, I have HTTPS in my sandbox, to avoid
> writing code around '-secure' or not.

Using rope, I have different configuration setup for development, staging, and production. (Rope will let you name / create whatever environments you want.) This comes in handy for things such as configuring email sending.

That being said, there’s really no need to “code around -secure” as you can just always call it — all you need to do is pass it the proper value: -secure = web_request->isHTTPS


Brad

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

stevepiercy
On 1/12/15 at 7:13 PM, [hidden email] (Brad Lindsay) pronounced:

>On January 12, 2015 at 3:04:29 PM, Steve Piercy - Website
>Builder ([hidden email]) wrote:
>>If production has HTTPS, I have HTTPS in my sandbox, to avoid
>>writing code around '-secure' or not.
>
>Using rope, I have different configuration setup for
>development, staging, and production. (Rope will let you name /
>create whatever environments you want.) This comes in handy for
>things such as configuring email sending.
>
>That being said, there’s really no need to “code around
>-secure” as you can just always call it — all you need to
>do is pass it the proper value: -secure = web_request->isHTTPS

We have different definitions of "code around".  Let's say it's
more code than necessary.

Also, I can't recall for sure, but I think I think that's only
valid in 9.  IIRC, 8 only accepted it as -secure, no boolean
value.  I could be wrong.

This needs to be updated, too.
http://www.lassosoft.com/lassoDocs/languageReference/obj/cookie_set

...to reflect -secure accepts a boolean value in 9 and to be
consistent with the Guide.
http://lassoguide.com/operations/requests-responses.html?#web_response->setCookie

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [Discussion] Should cookies be secure

Jolle Carlestam-2
> 13 jan 2015 kl. 01:34 skrev Steve Piercy - Website Builder <[hidden email]>:
>
> Also, I can't recall for sure, but I think I think that's only
> valid in 9.  IIRC, 8 only accepted it as -secure, no boolean
> value.

Any Lasso 9 method with boolean params can be set like that.

-flag,
-on,
-doit

Can equally be set using
-flag = #aboolean,
-on = #aboolean,
-doit = #aboolean

If that doesn't work in Lasso 8 I don't really care. It's a programming language I have not used for 5-6 years. Time to move on.


HDB
Jolle

Sent from a thin, flat, touchy device from an undetermined place in space.


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>