Skip to main content

Setting the secure flag in the cookie is easy

Published on Aug 29, 2008

TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details should check out the paper.

The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I’ll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.

PHP’s setcookie:

bool setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] )

Note that the $secure boolean should be set to true.

JSP / Java Server Pages:

Cookie helloCookie = new Cookie("name",text);
helloCookie.setSecure(true);

ASP.NET:

HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Joe';

Perl with CGI.pm (added by Noam)

$cookie = cookie(-name=>sessionID,
-value=>xyzzy,
-expires=>+1h,
-path=>/cgi-bin/database,
-domain=>.capricorn.org,
-secure=>1);