PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
It is currently Tue Oct 20, 2020 3:13 am

All times are UTC - 5 hours

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sun Aug 14, 2011 11:59 pm 
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
I’ve been doing a fair amount of research lately and I came across an idea that I found particularly interesting, especially after some recommendations I made in passing a token in a secure cookie in this thread: ... 9&p=657645

As the story goes, if a cookie is set on an https request with the secure flag set to TRUE, you can then overwrite the secure cookie on a sub-sequent non-secure request. This seems odd behavior due to the same-origin-policy.
I have included a quick snippet of code as an example. It requires you to have access to a server with SSL.

This behavior was observed in:
- Windows 7 \ Internet Explorer 8
- Windows 7 \ Firefox 5.0
- Windows 7 \ 13.0.782.112 m

Syntax: [ Download ] [ Hide ]
  # Definitions
   define('COOKIE_NAME', 'MySecureCookie');
  # Variables
   $payload = isset($_COOKIE[COOKIE_NAME]) ? $_COOKIE[COOKIE_NAME] : htmlentities('(Cookie Not Sent By Client)');
    $action = isset($_POST['action']) ? $_POST['action'] : '';
  # Functions
   function is_https()
      if(  (isset($_SERVER['HTTPS']) && mb_strtolower($_SERVER['HTTPS']) == "on")
        || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 1)
        || (isset($_SERVER['SERVER_PORT']) && $_SERVER["SERVER_PORT"] == 443)
        return true;
      return false;
    function is_postback()
     return (isset($_SERVER['REQUEST_METHOD']) && mb_strtolower($_SERVER['REQUEST_METHOD']) == "post");
  # Action
   if(is_postback()) {
      if($action == 'set_cookie') {
        if(is_https()) {
          setcookie (COOKIE_NAME, 'HTTPS_TOKEN: 123456', 0, '/', '', TRUE);
        } else {
          setcookie (COOKIE_NAME, 'HTTP_OVERWRITE', 0, '/', '', TRUE);
        header('location: index.php');
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="">
    <title>Security: Cookie Clobbering</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
      <h1>Example: Cookie Clobbering</h1>
      <p>As per the design of my user login system, when a user logs in, they must do so over a secure connection (HTTPS).  Upon successful authentication, the user is assigned a secure token which is stored in a cookie (a cookie with the secure flag set to TRUE).  This tells the browser to send the cookie payload over a secure connection only.</p>
      <p>The suspicion is that you can overwrite the secure (HTTPS) cookie from a non-secure (HTTP) request.</p>
      <hr />
      <strong>Current Connection Protocol: <?php print is_https() ? 'HTTPS' : 'HTTP'; ?></strong>
      <br />
      <strong>Current Value of "$_COOKIE['<?php print COOKIE_NAME; ?>']": <?php print $payload; ?></strong>
      <hr />
      <form action="<?php print is_https() ? "http://{$_SERVER['SERVER_NAME']}{$_SERVER['REQUEST_URI']}" : "https://{$_SERVER['SERVER_NAME']}{$_SERVER['REQUEST_URI']}"; ?>" method="post">
        <input type="hidden" name="action" value="change_protocol">
        <input type="submit" value="Change Protocol">
      <form action="index.php" method="post">
        <input type="hidden" name="action" value="set_cookie">
        <input type="submit" name="cookie_value" value="Set Cookie Value and Refresh Page">

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 5 hours

Who is online

Users browsing this forum: No registered users and 8 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group