Hi,
I m using cookies on my website, so my user don t have to login each time... But there is a security hole behind that, it s why i would like to know is it possible de send and check the cookies using HHTPS .. ?
Ii guess it could help many people to secure their web application..
Thks,
Guillaume.
Thanks for you answer,
So only this params make my cookies transaction secured ? (seems to easy)
Hum well it works, my cookies is secured... but when i want to get its value back, doesn t work any more... i guess there is something else to do ?
Thks for helping
Well ok... so it seems i ve to find a way to get it back from a secure
https connection... but don t know how to handle that...
if anyone have an idea ?
Is the domain name between the unsecured and secured site the same?
That is my problem, i dont actually have a secured site... let me explain to you :
I use cookie to avoid my user to always login.. so when they go to my website, i check if they have the cookie, and if they do, i put their login in a session.... Why do i want security ? because cookies are king of security hole, so i would like to be able to transmit them and received them via secured way, i guess it s HTTPS, but i ve no idea of how to implement it... if you could explain to me, (i don t all my site https, but also i ve to check if the cookies is present, on any page, i actually do that in my application layout, via an helper)
thx
Guillaume.
Usually, if the domain name matches or you're using a wildcard (i.e. .domain.com instead of www.domain.com) then the browser will automatically send cookies that match to your application. Not much else to it.
"To retrieve a cookie that has been set from https, you must be accessing it from https. So, if the URL in your browser doesn't start with https, you wont be able to read it. "
How can i do that if i check the cookie on any page through the application layout... in that case which page has to be https, or can only an action be https ??
Differenthink wrote:
That is my problem, i dont actually have a secured site... let me explain to you :
I use cookie to avoid my user to always login.. so when they go to my website, i check if they have the cookie, and if they do, i put their login in a session.... Why do i want security ? because cookies are king of security hole, so i would like to be able to transmit them and received them via secured way, i guess it s HTTPS, but i ve no idea of how to implement it... if you could explain to me, (i don t all my site https, but also i ve to check if the cookies is present, on any page, i actually do that in my application layout, via an helper)
A cookie is sent for each request matching a set of rules, primarily the hostname but also optionnaly the path and the fact that the contact method is secure or not. If you send the cookie by HTTPS, you send your request by HTTPS, you receive you response by HTTPS so you have a full blown HTTPS site.
Lionel
Differenthink wrote:
"To retrieve a cookie that has been set from https, you must be accessing it from https. So, if the URL in your browser doesn't start with https, you wont be able to read it. " I'm not sure this is actually the case, cookies set without the secure option should be readable on a plain connection if I read the RFC correctly.
How can i do that if i check the cookie on any page through the application layout... in that case which page has to be https, or can only an action be https ??
A page and an action aren't HTTPS. A page is (usually) HTML content that you *always* return through the same means you got your request, it doesn't know if its http or https (or more accurately it shouldn't need to) . The action usually describes the code that performs pure computations, in Rails it usually doesn't bother with http and https, this is the web server (Apache, lighttpd, nginx, ...) which is in charge of implementing the https protocol. The only link between https and Rails are: - the fact that you can test if a request came from a secured connection (https) because the web server tells Rails, - in HTTP, cookies are sent from the client through the same connection used later for the response: if you want to secure the content of the cookies, you must make each and every request using them with https, which means you will put your whole site in https, there's no way a part of it can be http if all content you are serving must be validated by a cookie (in fact even if you could, mixing http and https usually makes for nasty browser warnings telling the user that the site is only partially secure).
Lionel
thx for the answer... i think i ll not go deeper in integration of secure cookies for my website...