I see facebook sends cookies over http. How are they secure from hijacking? If I were to copy the cookie onto another computer would I be logged in?
But that's not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily.
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily.
Here are a few ways you can reduce the risk of session hijacking: HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim's traffic was monitored.
Description. The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections.
You've just described Session Hijacking, and it is a real security issue. It can be avoided in a number of ways. The simplest way to secure the cookies, though, is to ensure they're encrypted over the wire by using HTTPS rather than HTTP.
Cookies sent over HTTP (port 80) are not secure as the HTTP protocol is not encrypted.
Cookies sent over HTTPS (port 443) are secure as HTTPS is encrypted.
So, if Facebook sends/receives cookies via HTTP, they can be stolen and used nefariously.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With