We have our own server in a data centre, and we have an SSL certificate.

I've set UseSSL to true in web.config.

However, I notice that requiring SSL for the Forms auth cookie is set to false:

<forms name="NOPCOMMERCE.AUTH" loginUrl="~/Login.aspx" protection="All" timeout="43200" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/default.aspx" enableCrossAppRedirects="false"/>

My question is, if UseSSL is set to true is this enough to guarantee that the forms authentication cookie is always sent over SSL?

Or, to put it the other way round, is the cookie EVER sent over clear http?

Obviously I'm concerned about security but also there's no point telling my boss we need to buy SSL certs for new sites which are using the NopCommerce database with the membership provider I knocked up if Nop itself is sending auth in the clear.

I've thought about using Fiddler2 to look into this (and/or changing the forms tag to requireSSL=true and seeing what happens) but someone must know the answer already? :)

TIA.

kingboyk wrote:

I'm not sure on the actual answer, but the best way I find to check this sort of stuff is to use Wireshark. Sniff the line just like a "hacker" would do, and make sure that nothing important is human readable.
Think like them, try things like they would, and learn from it! That's my philosophy on that stuff!

That sounds like work! Well it's on my Todo list anyway. Thanks for the Wireshark tip.

Perhaps the "Require SSL" box in IIS management is the way to go.

Talking of work, must get on with it. Cheers for now.

I'll do some "work" for you on my site, run some wiresharking on the server side and let you know how I go (with the Require SSL stuff as discussed).

Work is over for me thank goodness! One more day till weekend!

Any findings to share?

I'm building a new VM for development and found myself at the Fiddler2 website today. While there I chanced upon a web security scanner add-in which looks quite interesting - http://websecuritytool.codeplex.com/

I changed requireSSL to "true" in the Forms section of web.config.

I received a HttpException: The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.

Looking at fiddler2, the auth cookie definitely gets sent over the wire unencrypted and presumably the only way round that is to require ssl on the entire site?

I'm surprised more emphasis isn't put on this within nopCommerce.  I have 2 different ASV's scanning my sites.  One of them says this is a PCI issue that must be fixed for compliance.  The other doesn't.  But, why wouldn't we want session cookies to be sent securely over SSL?

McAfee Secure says:"The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.

It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them."

So, why shouldn't this be fixed for the next release?  Why not fix nopCommerce so that when cookies are being set while using an SSL connection the cookie is sent over SSL?  Where would I find this code if I wanted to fix it myself?

As others have stated, if you try to fix this with a setting in web.config then need to have SSL for all visitors the entire time they are on your site.  This places a higher load on the server which may or may not be a big deal.  I know I'd rather not have the site totally run over SSL.