Page 2 of 2
Re: [COOKIES STILL NOT FIXED] forcing https broken in ff2
Posted: Wed Jul 01, 2009 3:45 pm
by therube
I did my testing at the "long" one,
https://onlineservices.wachovia.com/aut ... returnHome.
No third party cookie stuff.
Identical? Wouldn't know, but would expect it to be close enough.
SeaMonkey 1.1.17 is likely the same. SeaMonkey 2, I would guess slightly different.
doubleclick? I disabled Adblock Plus as I was testing, otherwise I guess it would have been nixed.
Re: [COOKIES STILL NOT FIXED] forcing https broken in ff2
Posted: Thu Jul 02, 2009 8:55 am
by Tom T.
Tom T. wrote:I am hoping that the secure cookie, TLTSID, is the one that a thief would need to hijack the session, and that the insecure one is only generic information, such as OS, browser, etc. In which case, there is no cause for concern...
After clearing the above cookies, etc. with HTTPS Force in place, please visit the home page,
http://www.wachovia.com. It correctly sets an HTTPS connection, as forced. Yet this time, three insecure cookies are set, despite there never having been an HTTP connection.
Again, one hopes that these insecure cookies, OriginalReferrer, CookiesAreEnabled, and s_sess, contain nothing sensitive. ... And that the secure cookie received upon login, TLTSID, contains the goodies. So forcing HTTPS for the site, although successful in setting the HTTPS connection, still does not force all secure cookies. Please tell me that this is nothing to worry about. Thanks.
This is still all I really need to know. If the unsecured cookies contain nothing of value, then there is no problem. Giorgio, whenever you have a chance, would appreciate it. TIA.