mailing list archives
Re: Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:35:32 +0300
2008/4/30 <ellukicq () icqmail com>:
Thanks for the feedback so far everyone.
can't see that it is the method itself that is weak.
Is the suggested technique, on it's own, fundamentally flawed? That's my question.
It will depend on the implementation of this method. Theory always
looks good, but practice... :) How you gona create hash? Would it be
possible to predict it if I will have 10/20/50 other hashes, if I will
have another data? Where you will store sessionID and this hash on
clients side? etc.
allowed to update/create HTTPOnly cookies?
The bad thing is that HTTPOnly works only for Internet Explorer. If
user will use FireFox, Opera or any other browser, then this method
will not be useful.