Re: new cookie draft from David W. Morris on 1997-03-21 (ietf-http-wg@w3.org from January to March 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Thu, 20 Mar 1997 18:04:03 -0800 (PST)
To: "M. Hedlund" <hedlund@best.com>
Cc: Koen Holtman <koen@win.tue.nl>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SOL.3.95.970320165402.14669A-100000@shell1.aimnet.com>

On Thu, 20 Mar 1997, M. Hedlund wrote:

> The only case in which we would need a port restriction would be when two
> Web servers are running on the same host with the same server name but
> different port numbers: 
>[...] 
> 
> 	+ Finally, if two servers are on the same physical host but run
> 	  under different server names (using vitrual hosting)  -- which is,
> 	  I would guess, a more common case than the first -- this problem
> 	  does not arise, so again a port restriction makes no sense. 

I believe this is no different than the case of using the same server name
which Koen raised ... with virtual hosting, each virtual host is an alias
for the same physical host.  Hence the rogue server running on a high port
can virtual host for the same names as the server whose cookies it is
trying to intercept.

My sense of the world of webfarm server services providing virtual hosting
is that actually using this technique to harvest cookies intended for
another server would be quite difficult at best. The rogue server
operator must:

   a.  Manage to keep the rogue server started and running and receiving
       requests for a port that athe web farm owner doesn't support
   b.  Introduce URLs in places likely to be seen and followed by people
       who also use the approved server

Hence I would propose that this issue be be addressed with a security
consideration note which describes the possiblity and strongly discourages
the use of cookies to carry sensitive information if the application is
hosted on a shared system where an unauthorized person could run a web
server.  A similar warning should exist (it may, I'm being lazy and not
double checking) for the case where the spec allows multiple hosts to
share cookies.

Personally, I think its bad design to include anything more than a basic
session ID in the cookie but I know there are many sites that find storing
user information in the user's browser attractive so I think they bear the
responsiblity for paying attention to the security issues.

Dave Morris

Received on Thursday, 20 March 1997 18:06:06 UTC