I\'m teaching myself a touch of the most basic information security while toying
ID: 655801 • Letter: I
Question
I'm teaching myself a touch of the most basic information security while toying with web dev, so that I can get a better understanding of the whole picture.
Let's assume my website has user accounts that have nonzero personal information stored in them.
Is it ever appropriate to store session IDs associated with this connection over HTTP?
I ask beacuse I was looking through my own cookies and I see some of the ones under "google.com" are marked as "send over any connection"-- am I correct in assuming that these session IDs are not in any way linked to personal information that an attacker / sniffer could obtain or abuse?
Explanation / Answer
If the cookie is meant to be kept private such as a session cookie, definitely not. Google may think that they don't need to specify that the cookie is sent over a secure connection because they already default to https for all secure aspects of the site. The most likely reason is probably because Google is set to be automatically redirected to https by the browser because of HSTS. Therefore, the cookie would most likely not be at risk of being sent over an insecure connection. However, it couldn't hurt.
It would be best to never send it over an unencrypted connection because there is a greater chance that an attacker will be able to read the cookie and access the user's account.