Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure cookie and invalid certificate

Is a secure cookie supposed to be sent to an HTTPS server that have an invalid certificate? I mean, I have an application served by a HTTPS server which send a cookie with the secure flag activated after the login step. Is my server supposed to receive the cookie back if it has an invalid certificate? Is this is normalized (it seems it's not), could someone point me to the relevant part of the norm?

like image 399
Sylvain Prat Avatar asked Mar 07 '12 17:03

Sylvain Prat


People also ask

How do you secure a cookie?

You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.

What is the difference between secure and HttpOnly cookie?

Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

Why are secure cookies not secure?

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection.


2 Answers

Yes, a cookie with Secure flag set is only sent for TLS/SSL secured connections:

If the cookie's secure-only-flag is true, then the request-uri's scheme must denote a "secure" protocol (as defined by the user agent). […] Typically, user agents consider a protocol secure if the protocol makes use of transport-layer security, such as SSL or TLS. For example, most user agents consider "https" to be a scheme that denotes a secure protocol.

But to establish a TLS/SSL connection, it only matters whether the certificate is trusted. It doesn’t matter how the certificate was trusted, i. e. whether it was trusted automatically or manually.

like image 140
Gumbo Avatar answered Oct 23 '22 09:10

Gumbo


Whether the certificate is valid or not is actually immaterial. If an invalid certificate is detected when browsing to a site most browsers will tell the user the cert is invalid and let the user determine whether they want to proceed or not.

With regards to the "secure" part of the cookie, all that does is tell the browser that the cookie is only valid for https connections and shouldn't be transferred over regular http connections.

This means that yes, your server should receive the cookie back from the browser provided that the URL being accessed is an https url. Even if the server's cert is invalid.

like image 39
NotMe Avatar answered Oct 23 '22 09:10

NotMe