XF 1.3 SSL and logins
- Thread starter Moshe1010
- Start date
Jake Bunce
Well-known member
1) Existing login cookies will remain in scope.
2) Nothing should happen.
2) Nothing should happen.
Jake Bunce
Well-known member
I searched and confirmed that cookie scope is defined by domain and path, not protocol. The same cookies should remain in scope. SSL encrypts communications.
Jake Bunce
Well-known member
Correction.
http://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
So cookies *can* be restricted by protocol.
After some further investigation I found that XenForo *does* use secure cookies if the user is visiting the forum using https.
So I would expect existing cookies to continue to work after moving to https. New cookies created after the move will only work on https.
http://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
So cookies *can* be restricted by protocol.
After some further investigation I found that XenForo *does* use secure cookies if the user is visiting the forum using https.
So I would expect existing cookies to continue to work after moving to https. New cookies created after the move will only work on https.
Rizwan Kassim
Member
Is it possible to disable secure cookies even if using https, either as a config field, or some sort of indication to an underlying line of code that can be modified?
thanks!
thanks!
Rizwan Kassim
Member
Else I suppose, I can use the setcookie method in http://xenforo.com/community/threads/need-help-with-two-plugins.34707/#post-394697 to reset the session cookie, but that'd be a janky fix. Any advice on the 'right way'?
Rigel Kentaurus
Well-known member
Actually, you want to disconnect the users and have them login again
After you switch to https, the cookies MUST be made "secure only", if you don't do that you leave the users vulnerable to different vectors of attacks that can steal cookies.
Take this two assumptions:
1) Cookies over HTTP can be sniffed since they are transmitted in clear text
2) Cookies over HTTPS are safe
Now notice this simple scenario
1) Webmaster sets redirection from http -> https
2) Cookies are set to be for both http and https
3) User still types in the browser http://yourdomain.com
4) Browser opens yourdomain.com, SENDS cookies, and is redirected to https://yourdomain.com
5) Browser opens the SSL site
By setting the cookies for both Http and Https you are putting the users at risk, since the cookies were sent in clear in step (4), even when using https, since that page is hit before the https because of the redirections, and this makes the content of the cookies available to the attackers. if xf_user is there, then the user can potentially use that to login to the site, or at least re-use the xf_session
That means all the cookies set for Http for any user of your site are potentially compromised, and switching to https will not help at all, only for the users that are logging in for the first time. But you can avoid further compromising user information by making sure the cookies are set to https only (the default in XenForo). If you wanted to be extra careful I would even change the $config['cookie']['cookie_prefix'] to force the users to start a fresh session.
After you switch to https, the cookies MUST be made "secure only", if you don't do that you leave the users vulnerable to different vectors of attacks that can steal cookies.
Take this two assumptions:
1) Cookies over HTTP can be sniffed since they are transmitted in clear text
2) Cookies over HTTPS are safe
Now notice this simple scenario
1) Webmaster sets redirection from http -> https
2) Cookies are set to be for both http and https
3) User still types in the browser http://yourdomain.com
4) Browser opens yourdomain.com, SENDS cookies, and is redirected to https://yourdomain.com
5) Browser opens the SSL site
By setting the cookies for both Http and Https you are putting the users at risk, since the cookies were sent in clear in step (4), even when using https, since that page is hit before the https because of the redirections, and this makes the content of the cookies available to the attackers. if xf_user is there, then the user can potentially use that to login to the site, or at least re-use the xf_session
That means all the cookies set for Http for any user of your site are potentially compromised, and switching to https will not help at all, only for the users that are logging in for the first time. But you can avoid further compromising user information by making sure the cookies are set to https only (the default in XenForo). If you wanted to be extra careful I would even change the $config['cookie']['cookie_prefix'] to force the users to start a fresh session.
Similar threads
- Solved
- Question
