On Thursday, June 16, 2011 8:26:47 PM UTC-4, pbreit wrote: > > That's exactly what the "secure" cookie flag prevents, sending the cookie > over a nonsecure line. The problem as you note is that even if your server > is set up to redirect nonsecure traffic to secure traffic, the cookies is > still sent over in that first handshake. The "secure" flag prevents that. At > least that's how I interpret the literature. The Firesheep guy provides more > info: http://codebutler.com/firesheep-a-day-later
As I understand it, the "secure" flag only tells the browser not to send the cookie to the server unless over SSL, but it doesn't prevent the server from sending or receiving the cookie without SSL. In any case, in web2py, session.secure() is useless if you don't actually have an https connection -- in that case, sessions will simply not work at all (because the browser won't be able to send the cookie back). The problem is if you have a non-https part of the site that requires sessions (which cannot use secure cookies) and then transition to a secure part of the site and secure the cookie -- in that case, because the cookie was initially not secure, there is a vulnerability. Anthony
