0

Session cookies are quickly becoming a standard way of doing login management. However, if sent unencrypted, it's pretty easy to hijack someone's session ala Firesheep.

Now, you can solve this by making your entire site use HTTPS, but if someone types in mysite.com the browser defaults to http. We can solve this with a redirect:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

But by the time I get a chance to rewrite the URL, hasn't my session cookie already been sent over an insecure channel?

Ender
  • 27,153
  • 7
  • 30
  • 34
  • I suppose it can depend on what language you are using to power your site. Assuming you are using Apache and PHP, the answer is no, your Rewrite will run before PHP is started and a PHP session (id) generated. – Jordan S. Jones Dec 18 '10 at 23:55
  • Yeah, the only problem is finding some way to prevent the client from sending a session cookie that it already has. – Ender Dec 19 '10 at 00:05

1 Answers1

2

Mark your session cookie as HTTPS-only using the Secure option.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1
    The Http-Only setting is also another thing to turn on because it prevents JavaScript from accessing it in the cookies collection. useful for guarding against XSS. – vcsjones Dec 18 '10 at 23:54
  • Happily, it seems that there's a PHP option for this: http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-secure – Ender Dec 18 '10 at 23:58
  • ...and one for Http-Only too: http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly :D – Ender Dec 18 '10 at 23:59