Security Basics mailing list archives
Re: Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:35:32 +0300
2008/4/30 <ellukicq () icqmail com>:
Thanks for the feedback so far everyone. Although I understand that XSS would leave the suggested method (javascript:SessionID+hash-encrypt) vulnerable, I can't see that it is the method itself that is weak. Is the suggested technique, on it's own, fundamentally flawed? That's my question.
It will depend on the implementation of this method. Theory always looks good, but practice... :) How you gona create hash? Would it be possible to predict it if I will have 10/20/50 other hashes, if I will have another data? Where you will store sessionID and this hash on clients side? etc.
I know HTTPOnly means script is unable to read the content of these cookies, but does anyone know if JavaScript is allowed to update/create HTTPOnly cookies?
The bad thing is that HTTPOnly works only for Internet Explorer. If user will use FireFox, Opera or any other browser, then this method will not be useful. Audrius
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Audrius (Apr 29)