Cookies protected against hijacking via http

Question

Cookies protected against hijacking via http

I see facebook sending cookies via http. How are they protected from theft? If I were to copy the cookie to another computer, would I be logged in?

+4

http cookies https

joels May 17 '11 at 18:30

source share

3 answers

Cookies sent over HTTP (port 80) are not protected because the HTTP protocol is not encrypted.

Cookies sent over HTTPS (port 443) are secure as HTTPS is encrypted.

So, if Facebook sends / receives cookies via HTTP, they can be stolen and dishonored.

+1

Rob raisch May 17, '11 at 18:33

source share

Cookies sent via HTTP are unsafe, those sent via HTTPS are slightly more secure than HTTP, but they can still be stolen, as several methods have been discovered recently to crack SSL. A full record of session capture and all attacks related to session capture can be found here: http://cleverlogic.net/tutorials/session-hijacking-0 . There is also a little bit about session capture prevention.

0

Joshua kissoon Nov 03 '11 at 4:53

source share

dlev · Accepted Answer · 2011-05-17T18:33:06+0000

You just described Session Hijacking, and this is a real security issue. This can be avoided in a number of ways . The easiest way to protect cookies, however, is to ensure that they are encrypted over the cable using HTTPS, not HTTP.

Cookies protected against hijacking via http

More articles: