OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Halpin Robert B Contr ACC/SCNF (KEI) (Rob.Halpinlangley.af.mil)
Date: Mon Aug 13 2001 - 07:58:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I am not going to claim to be THE authority on this topic, nor will I claim
    to have spent a lot of time researching it. I am basing my answer on
    testing I did. I used IE5.5 (with persistent and non-persistent cookies set
    to prompt) on a couple sets of pages I built. On the pages that actually
    set a cookie, I was prompted to allow the computer drop the file on me. On
    the pages that were using only session variables, I got no prompt for a
    cookie and the session tracked me just fine.

    I don't know if these are supposed to work that way, but they do.

    -----Original Message-----
    From: Norman Cook [mailto:normancookonebox.com]
    Sent: Thursday, August 09, 2001 5:54 PM
    To: Halpin Robert B Contr ACC/SCNF (KEI)
    Cc: www-mobile-codesecurityfocus.com
    Subject: RE: How do I set a non-persistent cookie ?

    IMHO - Not true. If you disable cookie you disable cookies. Cookies are
    just set:cookie headers in HTTP and the only difference between a cookie
    thats stored to disk and a RAM cookie is an expiry date.

    It sounds to me that a VB session variable is an API call to creating
    a session token that is sent as a RAM cookie.

    I am also curious of the cryptograhy behind that session token....

    ---- "Halpin Robert B Contr ACC/SCNF (KEI)" <Rob.Halpinlangley.af.mil>
    wrote:
    > The simplest non-persistent cookie is the session variable.
    >
    > In ASP using VBscript it's as easy as Session("variableName")=value
    >
    > Session variables are not disabled/prevented by users turning off cookies
    > on
    > their browsers because it does not store any files on their computers.
    > By
    > default, session variables expire 15-20 mintes after the browser leaves
    > that
    > site...of course, the safest way to make sure any session variable
    > info is
    > non-retrievable is to close the browser.
    >
    >
    >
    > -----Original Message-----
    > From: vertigo [mailto:vertigopanix.com]
    > Sent: Wednesday, August 08, 2001 12:48 PM
    > To: Norman Cook
    > Cc: www-mobile-codesecurityfocus.com
    > Subject: Re: How do I set a non-persistent cookie ?
    >
    >
    > Yep, that's the answer--no expiration.
    >
    >
    >
    > On Tue, 7 Aug 2001, Norman Cook wrote:
    >
    > > This maybe really obvious but I want to set a cookie that is
    > non-persistent
    > > on the browser ie a RAm cookie. Is it as simple as not setting an
    > expiry
    > > date or am I missing something obvious ?
    > >
    > > __________________________________________________
    > > FREE voicemail, email, and fax...all in one place.
    > > Sign Up Now! http://www.onebox.com
    > >
    > >
    >

    __________________________________________________
    FREE voicemail, email, and fax...all in one place.
    Sign Up Now! http://www.onebox.com