|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
> The differences between a login session and basic-auth/digest style, > is two-fold. First, if stolen, the impersonation is good for a > finite time, not until I notice and change my password. The second, > is that the adversary only has session credentials, and not my > long-term login password. Those are very significant differences. Indeed, in particular because sites with varying levels of security such as Amazon will use a cookie to identify you so you can alter your personal details, see stuff customised, and so on, but when you go to actually order they ask you to enter your password again. So somebody who steals the session by intercepting one request's cookie will not be able to order things, unlike somebody who stole an HTTP Auth request. Also, many people reuse the same username/password on different sites, but the same cookie will only ever be valid on different sites by extreme unlikely chance :-) ABS
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||

Cart








