Re: Maia Mailgaurd http://www.renaissoft.com/maia/

[Chuck <chuck.lists () gmail com>]

Responses below....

On 7/18/05, Achim Hoffmann <kirke11 () securenet de> wrote:
> !! In short, you are better off putting the session id in a cookie than
> !! putting it in the URL. 

> In short, it is much simpler to steal session ids from cookies than from
> URL, exceptions see below. 

No, they are both easy.  If there is a XSS on the site, then you can
get the URL with window.location.href.

> Cookies are unsecure, unfortunately.

I disagree.  Cookies are often insecurely used, but they can be a part
of a "secure" application and I think that they are sufficient for the
type of application the original poster was describing.  They are not
perfect, but they are better than the alternatives that are available
in browsers today.

> And more worse, most application don't take care for example by using FQDN
> and proper path= attribute and secure flag.

I agree with this, applications often do not use Cookies properly,
which is part of the problem.  I also agree with you that the
application should not invalidate session IDs after some amount of
time to minimize the possibility of session hijacking.

Chuck