Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:32 UTC (Thu) by Spudd86 (subscriber, #51683)
Parent article: Gathering session cookies with Firesheep

I suppose one workable solution (in some cases, probably good enough for LWN) is to have two session id's for each user, one that's SSL/TLS only one that is available over HTTP, then use the HTTP cookie to present customized content, decide if you're logged in, etc. Then when the user takes some action that needs to be authenticated switch to HTTPS (ie clicks a "Post Comment" button).

Obviously there are issues with this (one of which being it'd be hard to make sure it really is secure enough, and get the implementation right), but it's probably viable for situations where for most stuff there isn't a real risk for a MITM (ie a MITM can't really do anything of consequence))

Gathering session cookies with Firesheep

Posted Nov 4, 2010 20:48 UTC (Thu) by corbet (editor, #1) [Link]

I've implemented a simpler variant, have been using it for LWN editor accounts for a little bit now. The authentication cookie is SSL-only, of course, but we also set an insecure "SSL only" cookie. Whenever the site sees that second cookie on a non-SSL connection, the browser is redirected. Seems to work great.