Security Basics mailing list archives
Re: Re: Cookie Security
From: ellukicq () icqmail com
Date: 30 Apr 2008 10:57:36 -0000
Thanks for the feedback so far everyone. I'm getting plenty of comments regarding XSS Although I understand that XSS would leave the suggested method (javascript:SessionID+hash-encrypt) vulnerable, I cant see that it is the method itself that is weak. Is the suggested technique, on its own, fundamentally flawed? Thats my question. I have also received a point in the direction of HTTPOnly cookies which sound promising for helping to secure the method against XSS! Thanks Marco! I know HTTPOnly means script is unable to read the content of these cookies, but does anyone know if JavaScript is allowed to update/create HTTPOnly cookies?
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Audrius (Apr 29)