Home page logo

basics logo Security Basics mailing list archives

Re: Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:35:32 +0300

2008/4/30  <ellukicq () icqmail com>:
Thanks for the feedback so far everyone.
 Although I understand that XSS would leave the suggested method (javascript:SessionID+hash-encrypt) vulnerable, I 
can't see that it is the method itself that is weak.

 Is the suggested technique, on it's own, fundamentally flawed? That's my question.

It will depend on the implementation of this method. Theory always
looks good, but practice... :) How you gona create hash? Would it be
possible to predict it if I will have 10/20/50 other hashes, if I will
have another data? Where you will store sessionID and this hash on
clients side? etc.

 I know HTTPOnly means script is unable to read the content of these cookies, but does anyone know if JavaScript is 
allowed to update/create HTTPOnly cookies?

The bad thing is that HTTPOnly works only for Internet Explorer. If
user will use FireFox, Opera or any other browser, then this method
will not be useful.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]