If I list Discover.com in Secure Cookies management, I am unable to login to the site. As long as I don't list ".discover.com" (even if Secure Cookies Management is enabled), I can login.
Looking at the cookies in firefox, it appears that Discover is flagging some cookies as Encrypted-Only and others as regular. All my interaction with the site is from a green (extended validation) HTTPS webpage, so it strikes me as odd that regular cookies would be used at all.
Can anybody provide any context to this? Is this a poor security practice by Discover. Should I complain, what exactly should I argue they are doing wrong?
Is it correct to expect there to be no breakage when listing an Extended Validation webpage under Secure Cookies Management?
Edit: I've noticed it's not just Discover that does this. Other banks are setting regular cookies on encrypted sessions also.
Listing Bank in Secure Cookies Management prevents login
Listing Bank in Secure Cookies Management prevents login
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Listing Bank in Secure Cookies Management prevents login
What does happen when you attempt?I am unable to login to the site.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: Listing Bank in Secure Cookies Management prevents login
OK, install NoRedirect and configure it to block all redirects (Regex: .* , check only 'Source') and see if there's a plain HTTP redirect in there somewhere?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Listing Bank in Secure Cookies Management prevents login
It lands me on a login page (without loggin me in) at discovercard.com. See below.therube wrote:What does happen when you attempt?I am unable to login to the site.
Discover makes everyone login at Discover.com. If you specify Credit Card, then it is redirecting to www.discovercard.com. The NoRedirect addon activated but the URL it shows has https:.... So this means the redirection is occurring over TLS, but does it say anything about the cookies?barbaz wrote:OK, install NoRedirect and configure it to block all redirects (Regex: .* , check only 'Source') and see if there's a plain HTTP redirect in there somewhere?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Listing Bank in Secure Cookies Management prevents login
Next thing to try is open the Browser Console (Ctrl-Shift-J) and watch the net traffic. Look for any plain http requests that are not related to OCSP validation.
While you're at it, why not try again with Secure Cookies management enabled and see what messages NoScript spits out to the Browser Console, please post them here with "sensitive" info removed.
While you're at it, why not try again with Secure Cookies management enabled and see what messages NoScript spits out to the Browser Console, please post them here with "sensitive" info removed.
*Always* check the changelogs BEFORE updating that important software!
-