Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CSS, CSS & let me give you some more CSS

From: "Sverre H. Huseby" <shh () thathost com>
Date: Fri, 1 Feb 2002 22:25:43 +0100
[E M]

|   This brings me to the point that cookie based authentication is
|   unsafe inherently and as far as I can tell not something that
|   security minded developers would even consider.

Eh, you make me curious.  What would a security minded developer of,
say, a discussion forum where client side certificates is not an
option use instead of cookies?  I guess you won't say URL paramters,
so I am really curioius.

My opinion is that the cookies are fine.  It is the output of scripts
that needs addressing.  A security minded developer would make a
framework that did not permit HTML (that is: washed, sanitized,
escaped, recoded, HTML encoded -- choose your favourite slang) tags
from any data, except from the templates of the pages.

Oh, well.  Friday night, just upgraded from ancient glibc 2.1.94 to
2.2.5 and had a few beers to give me courage to do the upgrade, so my
opinions may not even be worth the usual two cents at the moment.


Sverre.

-- 
shh () thathost com                     Play my free Nerd Quiz at
http://shh.thathost.com/                http://nerdquiz.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: