Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

are cookies secure from hijacking over http

I see facebook sends cookies over http. How are they secure from hijacking? If I were to copy the cookie onto another computer would I be logged in?

like image 559
joels Avatar asked May 17 '11 18:05

joels


People also ask

Can HTTP cookies be stolen?

But that's not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily.

Are HTTP cookies secure?

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily.

Does HTTPS prevent session hijacking?

Here are a few ways you can reduce the risk of session hijacking: HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim's traffic was monitored.

What is HTTP hijacking?

Description. The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections.


2 Answers

You've just described Session Hijacking, and it is a real security issue. It can be avoided in a number of ways. The simplest way to secure the cookies, though, is to ensure they're encrypted over the wire by using HTTPS rather than HTTP.

like image 96
dlev Avatar answered Oct 02 '22 18:10

dlev


Cookies sent over HTTP (port 80) are not secure as the HTTP protocol is not encrypted.

Cookies sent over HTTPS (port 443) are secure as HTTPS is encrypted.

So, if Facebook sends/receives cookies via HTTP, they can be stolen and used nefariously.

like image 26
Rob Raisch Avatar answered Oct 02 '22 17:10

Rob Raisch