InformAction Forums

If I list Discover.com in Secure Cookies management, I am unable to login to the site. As long as I don't list ".discover.com" (even if Secure Cookies Management is enabled), I can login.

Looking at the cookies in firefox, it appears that Discover is flagging some cookies as Encrypted-Only and others as regular. All my interaction with the site is from a green (extended validation) HTTPS webpage, so it strikes me as odd that regular cookies would be used at all.

Can anybody provide any context to this? Is this a poor security practice by Discover. Should I complain, what exactly should I argue they are doing wrong?

Is it correct to expect there to be no breakage when listing an Extended Validation webpage under Secure Cookies Management?

Edit: I've noticed it's not just Discover that does this. Other banks are setting regular cookies on encrypted sessions also.

I am unable to login to the site.

What does happen when you attempt?

OK, install NoRedirect and configure it to block all redirects (Regex: .* , check only 'Source') and see if there's a plain HTTP redirect in there somewhere?

therube wrote:

I am unable to login to the site.

What does happen when you attempt?

It lands me on a login page (without loggin me in) at discovercard.com. See below.

barbaz wrote:OK, install NoRedirect and configure it to block all redirects (Regex: .* , check only 'Source') and see if there's a plain HTTP redirect in there somewhere?

Discover makes everyone login at Discover.com. If you specify Credit Card, then it is redirecting to www.discovercard.com. The NoRedirect addon activated but the URL it shows has https:.... So this means the redirection is occurring over TLS, but does it say anything about the cookies?

Next thing to try is open the Browser Console (Ctrl-Shift-J) and watch the net traffic. Look for any plain http requests that are not related to OCSP validation.

While you're at it, why not try again with Secure Cookies management enabled and see what messages NoScript spits out to the Browser Console, please post them here with "sensitive" info removed.