msumerano wrote:Amazon is not vulnerable because they don't send the authentication ticket cookie over HTTP requests. Whenever you actually go to check out, it forces you to log in again, thus creating a new authentication ticket and transferring it only over HTTPS.
I've just tested Amazon site with Fiddler. It does send authentication ticket cookie over HTTP. Right, it forces you to log in again when you go to checkout. But it does not force you to log in again when you go to "my account" page (also HTTPS) after visit of a product details page (HTTP). Session-token and user id in sent cookies are also the same between requests according to Fiddler (after visiting HTTPS and before). Maybe, I'm doing something wrong or missed something. Maybe, they distinguish between sessions and authentication tickets in Amazon.
msumerano wrote:.NET, if not configured correctly, will send the FormsAuthentication ticket cookie over HTTP or HTTPS unless it's set to secure="true". You can see this on Amazon with Firebug on the Net panel looking at the headers of HTML pages. Some cookies are missing over HTTP connections. If you take a look at the cookies sent in the response from an ASP.NET app that uses FormsAuthentication, uses secure=false, and switches between HTTP and HTTPS, the authentication ticket is always passed. It doesn't matter if the ticket itself is encrypted (which it is in ASP.NET), it can still be replayed with little effort when not sent over HTTPS.
If you use a separate cookie to track whether or not someone is logged in (say just to display their username), you can still set the FormsAuthentication ticket cookie as secure to prevent its transmission over HTTP. It'll just force users to log in again (ala Amazon) whenever hitting the payment area that requires HTTPS since a new ticket will need to be created.
There's a good MSDN article about this from the ASP.NET 2.0 days. It still applies today and is really not specific to ASP.NET at all, which is why I originally posted the OWASP link.
http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_step3
Thanks for info. But as I've written above some pages in all the previous versions of nopCommerce also always forced to be HTTP. Now we simply added more pages to this list. I'll create a work item and investigate it further. What I can suggest you now is to force nopCommerce to use SSL all over the site:
1. Open the solution
2. Remove all
[NopHttpsRequirement(SslRequirement.No)] attributes over the source code
3. Open \Presentation\Nop.Web\Controllers\BaseNopController.cs file and add
[NopHttpsRequirement(SslRequirement.Yes)] attribute to you
UPDATE 1: I've just also found that it's already supported and you already can easily enable it. It's disabled by default because not all store owners have SSL certificate installed:
1. Open Web.config file
2. Find <forms /> element
3. Set its "requireSSL" attribute to "true"
P.S. But WebWorkContext also need some changes to don't use forms authentication ticket for loading a current customer. Otherwise, current customer won't be loaded for non-secured pages. So for now you can use the solution I suggested above (force all pages to be secured)
UPDATE 2: Forget about the changes I've described above. Please see chanegset
5db00c505e9b. So all you need to do is to set 'securitysettings.forcesslforallpages' setting to 'true'