Re: [Catalog-sig] Fwd: readthedocs.org or packages.python.org?

martin Wed, 06 Feb 2013 17:03:18 -0800


Zitat von Donald Stufft <donald.stu...@gmail.com>:

Why is that? If the issue is for "www.python.org(http://www.python.org)", then packages.python.org(http://packages.python.org)
cannot steal it, can it?
Session Fixation.


Hmm. Correct me if I'm wrong, but the article you cited
claims that this is easily solved by not using the session
ID in GET/POST variables (but only in cookies)

- don't use cookies 2: use TLS session IDs instead


Pretty sure these are passed cleartext, hope you didn't want your
sessions MITM'd


Hmm. Again in the article you cite, and also in many other
sources, common wisdom is that this *is* safe against
MITM.

Regards,
Martin


_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig

Re: [Catalog-sig] Fwd: readthedocs.org or packages.python.org?

Reply via email to