Can an authentication cookie be stolen if it's issued by a server over SSL?

Question

Assume all communication between the client and the server is over SSL and "requireSSL=true" is set on the cookie.

possible duplicate of [Is encrypting session id (or other authenticate value) in cookie useful at all?](http://stackoverflow.com/questions/2840559/is-encrypting-session-id-or-other-authenticate-value-in-cookie-useful-at-all) and http://stackoverflow.com/questions/22880/what-is-the-best-way-to-prevent-session-hijacking — KV Prajapati, Sep 13 '12 at 03:08

score 1 · Answer 1 · edited Oct 07 '21 at 06:09

HTTPS is HTTP over TLS/SSL, which establishes the SSL/TLS connection before exchanging any HTTP messages.

Provided that both parties are configured correctly and that the client verifies the certificate, the SSL/TLS tunnel will protect the HTTP traffic against MITM attacks and eavesdropping.

This should prevent any party between the browser and the server from seeing that cookie. In addition, if this is a secure cookie (with the secure flag, which might be configured with requireSSL=true), the browser should only send it back on HTTPS request (if your site uses both HTTP and HTTPS). (It might be useful to set httpOnly on your cookie too to prevent from attacks involving scripts.)

score 0 · Answer 2 · answered Sep 13 '12 at 14:10

0

Teorically not, only can be stolen by:

bug in the browser
man in the middle attack
weak cypher algorithm

answered Sep 13 '12 at 14:10

Maks3w

6,014
6
37
42

Can an authentication cookie be stolen if it's issued by a server over SSL?

2 Answers2