• Toll-free  888-665-8637
  • International  +1 717-220-0012
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error
Session Cookies not being sent over secure channel.
Options Go to last post Go to first unread
Previous Topic Next Topic
NickyV
#1 Posted : Monday, April 21, 2008 7:53:56 AM(UTC)
NickyV

Rank: Member

Joined: 8/29/2005(UTC)
Posts: 41
Two of my customers are still on BVC 2004 and I've been trying to talk them into BVC 5.


One of them keeps getting notifications from Scanalert that their session cookies are being sent over a non-secure (SSL) channel.



While the other has told me that their security audit complains that their session cookie is not encrypted.



I've looked through documentation, but have failed to find if BVC 5 resolves this "medium" security issue.



Does BVC 5 send its cookies encrypted / over SSL?



See below Description from Scanalert for further information:


<A name=description></A>
[table cellSpacing=0 cellPadding=3 width="100%"]
[tr ][td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px"]<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>

<TR>
<TD style="BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; BACKGROUND: url(https://images.scanalert.com/images/tab-blue-left.gif) #66738c no-repeat; PADDING-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: 0px" width=6>[/td][td style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BACKGROUND: url(https://images.scanalert<b]</b>.com/images/tab-blue-bg.gif) #66738c repeat-x; BORDER-LEFT: 0px; COLOR: #ffffff; BORDER-BOTTOM: 0px">Description[/td][td style="BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; BACKGROUND: url(https://images.scanalert<b]</b>.com/images/tab-blue-right.gif) #66738c no-repeat; PADDING-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: 0px" width=6>[/td][/tr][/table]</TD></TR>
[tr ][td style="BORDER-RIGHT: #efefef 1px solid; BORDER-LEFT: #efefef 1px solid; BORDER-BOTTOM: #efefef 1px solid"]The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.

An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to "maintain state".

The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords.

The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be "sniffed" over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.

The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.

[/td][/tr][tr ][td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; BACKGROUND: #efefef; PADDING-BOTTOM: 0px; PADDING-TOP: 0px"][/td][/tr]
</TABLE>

<A name=solution></A>
[table cellSpacing=0 cellPadding=3 width="100%"][tr ][td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px"]<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>

<TR>
<TD style="BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; BACKGROUND: url(https://images.scanalert.com/images/tab-blue-left.gif) #66738c no-repeat; PADDING-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: 0px" width=6>[/td][td style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BACKGROUND: url(https://images.scanalert<b]</b>.com/images/tab-blue-bg.gif) #66738c repeat-x; BORDER-LEFT: 0px; COLOR: #ffffff; BORDER-BOTTOM: 0px">General Solution[/td][td style="BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; BACKGROUND: url(https://images.scanalert<b]</b>.com/images/tab-blue-right.gif) #66738c no-repeat; PADDING-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: 0px" width=6>[/td][/tr][/table]</TD></TR>
[tr ][td style="BORDER-RIGHT: #efefef 1px solid; BORDER-LEFT: #efefef 1px solid; BORDER-BOTTOM: #efefef 1px solid"]Verify the business need pertaining to the cookie. You should identify and answer ALL of the following questions:


<LI>Does the client need to send potentially sensitive information back and forth to the server?
In some cases their is a business need to do this, such as maintaining the user's session. If this is the case, verify that the data in the cookie is encrypted.


<LI>Why is a sensitive cookie being sent over an insecure channel?
If this is a session cookie there is NO VALID REASON that this cookie is sent over an insecure channel. This cookie and potentially the entire site needs to be encrypted end-to-end using SSL.


<LI>Does the cookie need to be persistent (saved on the clients machine)?
Potentially sensitive cookies should never be saved to a clients machine. Verify the business case of why this is currently being done.
</LI>[/td][/tr]
</TABLE>
Andy Miller
#2 Posted : Monday, April 21, 2008 10:27:11 AM(UTC)
Andy Miller

Rank: Member

Joined: 11/5/2003(UTC)
Posts: 2,136

Was thanked: 1 time(s) in 1 post(s)
You don't mention which cookie raised the concern. As far as I know, BVC5 SP3.2 uses 4 cookies: 1) a user ID cookie, 2) a
cart ID cookie, 3) a last viewed item cookie, and 4) the generic ASP.NET session cookie.



You can turn off the user ID cookie (which I suspect is the one that Scanalert is concerned about) by going to BV Admin &gt; Options &gt; Site Settings &gt; Users, and uncheck remember users and remember user passwords.



You can also run your entire site under SSL if you want, though that may be impractical. I'm not aware of any ecommerce site that does that. None the less, select BV Admin &gt; Options &gt; Site Settings &gt; Security and change both URL's to use https: and then check Use SSL. You will also need to configure your server to reject unsecured requests or to automatically redirect them to https.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF | YAF © 2003-2024, Yet Another Forum.NET
©2024 Develisys. All rights reserved.
  • Toll-free  888-665-8637
  • International  +1 717-220-0012