Security Basics mailing list archives

Re: Re: Cookie Security

From: ellukicq () icqmail com
Date: 30 Apr 2008 10:57:36 -0000

Thanks for the feedback so far everyone.


I'm getting plenty of comments regarding XSS

Although I understand that XSS would leave the suggested method (javascript:SessionID+hash-encrypt) vulnerable, I cant 
see that it is the method itself that is weak.

Is the suggested technique, on its own, fundamentally flawed? Thats my question.


I have also received a point in the direction of HTTPOnly cookies which sound promising for helping to secure the 
method against XSS! Thanks Marco!

I know HTTPOnly means script is unable to read the content of these cookies, but does anyone know if JavaScript is 
allowed to update/create HTTPOnly cookies?

Current thread:

Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
  - Re: Cookie Security Orlin Gueorguiev (Apr 30)
    - Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
  - Re: Cookie Security Audrius (Apr 30)
  - Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
  - Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)