Security of HTTP based authentication
davidp at preshweb.co.uk
Fri Jan 14 13:04:46 GMT 2011
On Thu, 2011-01-13 at 14:09 +0000, Andrew Black wrote:
> I have often wondered about that - what is the risk in mixing HTTP
> images and HTTPS text?
One reason could be that if the web app didn't include 'secure' in the
Set-Cookie header, the session cookie could be sent in the clear for the
image requests too, assuming they're requested from the same domain as
the rest of the page.
Of course, marking the cookie as secure (to be sent only over HTTPS
requests) would take care of that, as would requesting images from a
different domain as often seen (ebaystatic.com etc).
David Precious <davidp at preshweb.co.uk> ("bigpresh")
More information about the london.pm