Secure cookies through HTTPS

Hi,

I m using cookies on my website, so my user don t have to login each
time...
But there is a security hole behind that, it s why i would like to
know is it possible de send and check the cookies using HHTPS .. ?

Ii guess it could help many people to secure their web application..

Thks,

Guillaume.

Thanks for you answer,

So only this params make my cookies transaction secured ?
(seems to easy)

Hum well it works, my cookies is secured... but when i want to get its
value back, doesn t work any more... i guess there is something else
to do ?

Thks for helping

Well ok... so it seems i ve to find a way to get it back from a secure
https connection... but don t know how to handle that...:confused:

if anyone have an idea ?

Is the domain name between the unsecured and secured site the same?

That is my problem, i dont actually have a secured site... let me
explain to you :

I use cookie to avoid my user to always login.. so when they go to my
website, i check if they have the cookie, and if they do, i put their
login in a session....
Why do i want security ?
because cookies are king of security hole, so i would like to be able
to transmit them and received them via secured way, i guess it s
HTTPS, but i ve no idea of how to implement it... if you could explain
to me,
(i don t all my site https, but also i ve to check if the cookies is
present, on any page, i actually do that in my application layout, via
an helper)

thx

Guillaume.

Usually, if the domain name matches or you're using a wildcard
(i.e. .domain.com instead of www.domain.com) then the browser will
automatically send cookies that match to your application. Not much
else to it.

"To retrieve a cookie that has been set from https, you must be
accessing
it from https. So, if the URL in your browser doesn't start with
https,
you wont be able to read it. "

How can i do that if i check the cookie on any page through the
application layout... in that case which page has to be https, or can
only an action be https ??

Differenthink wrote:

That is my problem, i dont actually have a secured site... let me
explain to you :

I use cookie to avoid my user to always login.. so when they go to my
website, i check if they have the cookie, and if they do, i put their
login in a session....
Why do i want security ?
because cookies are king of security hole, so i would like to be able
to transmit them and received them via secured way, i guess it s
HTTPS, but i ve no idea of how to implement it... if you could explain
to me,
(i don t all my site https, but also i ve to check if the cookies is
present, on any page, i actually do that in my application layout, via
an helper)

A cookie is sent for each request matching a set of rules, primarily the
hostname but also optionnaly the path and the fact that the contact
method is secure or not. If you send the cookie by HTTPS, you send your
request by HTTPS, you receive you response by HTTPS so you have a full
blown HTTPS site.

Lionel

Differenthink wrote:

"To retrieve a cookie that has been set from https, you must be
accessing
it from https. So, if the URL in your browser doesn't start with
https,
you wont be able to read it. "
  
I'm not sure this is actually the case, cookies set without the secure
option should be readable on a plain connection if I read the RFC correctly.

How can i do that if i check the cookie on any page through the
application layout... in that case which page has to be https, or can
only an action be https ??

A page and an action aren't HTTPS. A page is (usually) HTML content that
you *always* return through the same means you got your request, it
doesn't know if its http or https (or more accurately it shouldn't need
to) . The action usually describes the code that performs pure
computations, in Rails it usually doesn't bother with http and https,
this is the web server (Apache, lighttpd, nginx, ...) which is in charge
of implementing the https protocol. The only link between https and
Rails are:
- the fact that you can test if a request came from a secured connection
(https) because the web server tells Rails,
- in HTTP, cookies are sent from the client through the same connection
used later for the response: if you want to secure the content of the
cookies, you must make each and every request using them with https,
which means you will put your whole site in https, there's no way a part
of it can be http if all content you are serving must be validated by a
cookie (in fact even if you could, mixing http and https usually makes
for nasty browser warnings telling the user that the site is only
partially secure).

Lionel

thx for the answer... i think i ll not go deeper in integration of
secure cookies for my website...