0

My question is If I am hosting my website in HTTPS connection then could the cookie still be potentially stolen by an attacker to perform man in the middle attack?

In an HTTP connection, the attacker might intercept the cookie and can hijack a victim's session. So if the attacker can carry out a man in the middle attack, he can force the victim to make an http request and steal the cookie.

So does this risk is still there in the HTTPS connection? Or how can I make it more secure so that the attacker cannot steal the cookie?

Faran Saleem
  • 404
  • 1
  • 7
  • 31

2 Answers2

0

The answer is YES.

Not sure if I am explaining this well enough.

But take a look at : https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

On an extra note:- The cookie will reside on the user end and HTTPS just specifies that the connection that will be used between the two ends will be encrypted and an SSL certificate is used. SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. An SSL certificate is a data file hosted in a website's origin server. SSL certificates make SSL/TLS encryption possible, and they contain the website's public key and the website's identity, along with related information.

Super B
  • 1
  • Welcome to SO. While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. *Note, you can include quotes by prefixing all lines of the quote with `>`.* – Connor Low Aug 27 '21 at 16:48
0

Or how can I make it more secure so that the attacker cannot steal the cookie?

You must declare that on web.config using the requireSSL to force cookie only on secure connections

<httpCookies domain="domain.com" requireSSL="true"/>

more to read : Can some hacker steal a web browser cookie from a user and login with that name on a web site?

Aristos
  • 66,005
  • 16
  • 114
  • 150
  • What if the website is hosted in HTTP only? Does this web.config setting still will make a difference? – Faran Saleem Aug 23 '21 at 12:45
  • if you are on http only and set that parameter then no cookie are saved at all... you need an https connection - – Aristos Aug 23 '21 at 12:50
  • to avoid `man in the middle attack` on an advanced way you have to keep more information's connected with that cookie, on server side - like ip, and browsers characteristics - and double check them on each request. – Aristos Aug 23 '21 at 12:51
  • Typically login cookies should set both requireSSL (don't send the cookie over insecure connections) and HttpOnly (block the cookie from being accessed via javascript). – Brian Aug 23 '21 at 13:24