WebApp Sec mailing list archives

RE: Growing Bad Practice with Login Forms

From: Konstantin Ryabitsev <icon () phy duke edu>
Date: Tue, 27 Jul 2004 10:28:42 -0400

On Tue, 2004-07-27 at 10:20 -0400, Stan Guzik wrote:

Once you enter the site they set their cookie without SSL.  This is not
a good practice because it leaves the cookie (maybe session management)
open to a sniffing attack.


This is indeed a valid concern, but a separate issue. If you got a
session cookie over cleartext, then authenticated over SSL, your session
can be compromised if the same session is used to identify you past-
login.

Regards,
-- 
Konstantin Ryabitsev
Duke University Physics

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
  - RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
    - Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
    - Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- Re: Growing Bad Practice with Login Forms Paul Johnston (Jul 28)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
  - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
    - Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
  - Summary: Growing Bad Practice with Login Forms athena (Jul 27)
    - Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
    - RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
    - RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)

(Thread continues...)