Re: Re: Cookies at XML Europe 2004 -- Call for Participation

To: Elliotte Rusty Harold <elharo@m...>
Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
From: Rich Salz <rsalz@d...>
Date: Wed, 7 Jan 2004 20:34:40 -0500 (EST)
Cc: "xml-dev@l..." <xml-dev@l...>
In-reply-to: <p0601021dbc2234b3cf2d@[192.168.254.4]>

Play the video

> >No.  I'm saying without rest I send it once, store it at the server,
> >use a cookie to refer to it in future transactions.
>
> Is the cookie sent unencrypted? If so, and we're not using SSL (as is
> the case in many cookie scenarios) what, if anything, prevents an
> attacker from snarfing the authentication cookie as it makes its way
> back from the client to the server (or in the other direction) and
> adding that to its own requests to the same server?

The cookie that references the server state must be treated almost as
securely as a cookie containing password information, or an HTTP
basic-auth application.  In practice, this often means SSL for data
privacy while in transit.  Other mechanisms -- the credentials could
record the client's IP address, for example -- are also possible.

The differences between a login session and basic-auth/digest style,
is two-fold.  First, if stolen, the impersonation is good for a
finite time, not until I notice and change my password.  The second,
is that the adversary only has session credentials, and not my
long-term login password.  Those are very significant differences.

So the attacks you are concerned about don't happen, and if they did
much less damage is done.
        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

Follow-Ups:
- Re: Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Alaric B Snell <alaric@a...>
- Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@m...>

References:
- Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
  - From: Elliotte Rusty Harold <elharo@m...>

Prev by Date: Why is xml:base a URI *reference*?
Next by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.


	Stylus Studio® Developer Network \| Contact Us \| Email this page