Vaibhav Gargs wrote:Thanks Tim. Suppose the client is having cookie as ABC which on HTTPS after encryption becomes XYZ. Now, the attacker intercepts the request in between and use the encrypted cookie say XYZ to request the server. Will it work? I am sorry - new in security so don't have much idea about all this stuff.
Vaibhav Gargs wrote:
Stephan van Hulst wrote:As soon as an attacker knows the session cookie, you've lost.
Using HTTPS only helps in preventing an attacker to get the cookie in the first place.
Thank you Stephan. How does HTTPS prevents to get the cookie? The cookie will be transmitted along with the request, can't the attacker sniff the request and steal the cookie?
Glen Lang wrote:Food for thoughts, thanks. I do agree with you, unfortunately, I wasn't given a choice... You know how things go...
Campbell Ritchie wrote:And that XKCD is very appropriate for the puzzle in the first post.
Ryan McGuire wrote:. . . there's an XKCD for that. . . .