Home page logo

basics logo Security Basics mailing list archives

Re: Re: Cookie Security
From: ellukicq () icqmail com
Date: 30 Apr 2008 10:57:36 -0000

Thanks for the feedback so far everyone.

I'm getting plenty of comments regarding XSS…

Although I understand that XSS would leave the suggested method (javascript:SessionID+hash-encrypt) vulnerable, I can’t 
see that it is the method itself that is weak.

Is the suggested technique, on it’s own, fundamentally flawed? That’s my question.

I have also received a point in the direction of “HTTPOnly” cookies which sound promising for helping to secure the 
method against XSS! Thanks Marco!

I know HTTPOnly means script is unable to read the content of these cookies, but does anyone know if JavaScript is 
allowed to update/create HTTPOnly cookies?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]