It's about 5 minutes of work for an experienced user - modify /etc/hosts or c:\winnt\hosts.sam to point www.domain.com to localhost and write a small script that'd set a session cookie.
Also, my IE5 stores all the cookies as plaintext in this directory: C:\Documents and Settings\zoro\Cookies Besides, AFAIR, some browsers allow modifying cookies - I'm not sure if BrowseX allows setting cookies - if not from GUI then from Tcl. I think that anything the user supplies cannot be trusted and as such sessions are a real problem to make secure. And I'm not sure if path_info works on AOLserver... Haven't tried it. Peter M. Jansson wrote: > On Thu, 27 Dec 2001, Wojciech Kocjan wrote: > > >>First of all, why do I need cookie? My SIDs are 32bytes long so guessing >> it could be a bit of a PITA. And if someone would sniff the SID, he >>could set his browser's cookies to send this SID. So I don't understand >>how cookies might help? [especially that they are sent from a >>potentially untrusted user] >> > > The one way cookies can help avoid hijacking is in a > security-through-obscurity sense, since it's more difficult to set a > cookie using the conventional command-line tools, or even through browsers > (browsers I use allow viewing and deleting of cookies, but not creation, > as far as I know). > > >>And about relative links, I guess that using >><BASE HREF="http://www.domain.com/sid0123456789ABCDEF";> should solve >>relative this problem as well :-) >> > > You could also tack the sid on to the end of the url, after the pagename, > so that the sid is available as path_info. > > > >
