InformAction Forums

I added google.com to the list for "Force encryption for all cookies set over HTTPS by the following sites". However, even though I only log in over the https interface, one of the cookies I receive is still insecure, according to CS Lite. Additionally, even when I visit one of Google's unencrypted search pages, Google still sees me as logged in.

Why?

Did you tick the "Automatic secure cookie management" checkbox?
Also, are you sure the insecure cookie is from gmail.google.com and not from google.com?

Giorgio Maone wrote:Did you tick the "Automatic secure cookie management" checkbox?

Yes, the box is ticked.

Giorgio Maone wrote:Also, are you sure the insecure cookie is from gmail.google.com and not from google.com?

It is a google.com cookie, but I placed both google.com and mail.google.com on the force secure cookies list.

Also, I did not temporarily allow google.com to put cookies on my computer, using CS Lite, until I reached the https login page, so it was not a pre-existing cookie. And apparently the single unsecure cookie was enough for Google to recognise me even on the non-https search page.

May I know the name of the cookie? I've got some suspects...

Giorgio Maone wrote:May I know the name of the cookie? I've got some suspects...

Name: SID
Domain: .google.com
Path: /
Secure: No
Expiration: Session

GAUSR and LSID (from HOST: http://www.google.com) are both marked as secure, as is everything from mail.google.com.

SID is set by http://www.google.com, which you're not enforcing HTTPS cookies on (are you?)
Just add http://www.google.com or even better *.google.com (beware, though, that some Google services which are not HTTPS enabled might cease to work).

Giorgio Maone wrote:SID is set by http://www.google.com, which you're not enforcing HTTPS cookies on (are you?)
Just add http://www.google.com or even better *.google.com (beware, though, that some Google services which are not HTTPS enabled might cease to work).

I had the following on the list:
google.com
mail.google.com

(No wildcard characters.)

I added the wildcard character, but now I can't login at all.

Well, I told you preventing that cookie from being set could break something.
However, you probably don't need this.
Just try to delete the secure cookies and check if you can still login. If you cannot, you're safe.

Giorgio Maone wrote:Well, I told you preventing that cookie from being set could break something.
However, you probably don't need this.
Just try to delete the secure cookies and check if you can still login. If you cannot, you're safe.

You are right.

The insecure cookie seems to be insufficient to get into Google Mail with. It looks like all an attacker could do with the insecure cookie is impersonate me while searching Google and look at my Web History, which is empty because I don't let Google run scripts. So I suppose someone could frame me by searching for illegal material with my cookie, but at least my mail can't be compromised that way.

I was using Gmail through the website today and it logged me in and then when I changed folder, it pops up saying that it appears you have logged out or someone else has logged on to this machine, so you need to log back in and takes me away to the login page. I was pissed and so tried to log back in and this time it just sits on that loading page and bar goes to 100 and it just sits there doing abso-freakin-lutely nothing. Whatever the problem was, is back.