Secure cookies mean that you can't read them from a non SSL response IIRC, however you can still set them from a plaintext message so session fixation is still possible.
On Wednesday, February 6, 2013 at 6:41 PM, Richard Jones wrote: > On 7 February 2013 09:55, Donald Stufft <donald.stu...@gmail.com > (mailto:donald.stu...@gmail.com)> wrote: > > http://en.wikipedia.org/wiki/Session_fixation > > > > packages.python.org can set a .python.org cookie which www.python.org > > (http://www.python.org) will > > read. > > > > > Damn, cookies are busted :-( > > At least secure cookies are safe, right? Right? Ugh, probably not. > > So the only real solution is the one you use, which is to set up the > unsafe content on a separate domain. Easy enough, even I can buy > domains ;-) > > > Richard
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
