|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh_at_thathost.com)
Date: Mon Aug 26 2002 - 11:43:25 CDT
[Alex Russell]
| Yes, the attacker would require some level of heightened access to
| get to the cookie, but with browsers like IE (see last friday's
| announcements), that's not such a high bar to hit = )
I have to admit that I normally do not care about security holes in
client-side software. A web application that should be secure even if
the client software (browser, OS and all) isn't patched (and thus
possibly fully controlled by an attacker), would need more protective
mechanisms than are seen in today's online banks.
As I have no idea how those mechanisms should be implemented (or even
if there are such mechanisms at all), I tend to play a "not my
problem" trick whenever client-side issues show up. That's probably
why I still have faith in cookie-based, long, random numbers for
session-ids. :)
Sverre.
-- shhthathost.com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]