TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details should check out the paper.
The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I'll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.
PHP
The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I'll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.
PHP
bool setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] )
Note that the $secure boolean should be set to true.
Cookie helloCookie = new Cookie("name",text);
helloCookie.setSecure(true);
ASP.NET
Perl with CGI.pm
(added by Noam)
HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Joe';
Perl with CGI.pm
(added by Noam)
$cookie = cookie(-name=>’sessionID’,
-value=>’xyzzy’,
-expires=>’+1h’,
-path=>’/cgi-bin/database’,
-domain=>’.capricorn.org’,
-secure=>1);
Sandro Gauci'IT' 카테고리의 다른 글
| basketball (0) | 2012.11.01 |
|---|---|
| The Best AirPrint Compatible Printers (0) | 2011.12.23 |
| Why Java Will Always Be Slower than C++ (0) | 2011.12.09 |
| a (0) | 2011.12.09 |
| Information Security Interview Questions (0) | 2011.12.05 |
