Like I said .. turning off cookies won't save you from someone getting to
the cookies you already have stored on your machine. Besides, the problem
ISN'T with cookies .. it's with crappy MS security .. supprise, supprise.
Notice how the only people affected by this at all are people using IE and
Windows ... quite the dynamic duo. Netscape doesn't have this problem and
neither do any other operating systems. I say don't worry about it and use
your cookies .. just, now we have to take on the added responsibility of
designing our sites to provide Microsoft's cookie security for them. Now ..
anyone have any usefull ideas on how to do this?
One thing I can think of is .. the timing of this 'hack' is awkward.
Someone would have to go to that special URL for the would be 'hacker' to
get the info in question. How often do you think that is going to happen?
One helpful precaution is to expire potentially sensitive cookies as soon as
possible. If you set the expiration for 30 minutes or so, the chances of
that cookie getting snagged is small, I would think. If someone can't fill
out a form in 30 minutes .....
Anyone have other ideas?
Todd Ashworth
Web Application Developer
(803) 327-0137 [111]
_____________________________________________
Ask about our low-cost, 100% user-configurable, turn-key
web sites that can have your business on the web in minutes!
Saber Designs - Web sites done right, right now!
----- Original Message -----
From: "Owens, Howard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 16, 2000 4:03 PM
Subject: RE: "You have nice cookies .. mind if I have a look?"
|
| Well, to me, the main issue isn't what CF does or doesn't do with cookies
| ... it's user perception. This is one more feather in the cap of the
| anti-cookie maniacs. What until the media reports this -- "Cookies Steal
| User Identities ... film at 11" It could get ugly.
|
| My latest programming methodolgy has relied on cookies and my attitude has
| been anti-cookie fanatics be damned. If you disable cookies you can't use
| my site!!! This whole new security hole undercuts my primary argument:
| There is nothing wrong with cookies. Well, now, we find out, there is.
I
| don't know if that's going to change much of what I'm doing because the
| actual value of exploiting this hack is rather slim, it seems to me.
|
| I like session vars. I want to use session vars (not to mention client
| vars). I shouldn't need to jump through the hoops of passing session vars
| through URLs and hidden input fields (sort of defeats the purpose, doesn't
| it?). For now, I'm going to keep using cookies as I've been using them.
|
| However ... friggin' frackin' Microsoft!!!!!!!!!!!
|
| H.
|
| =========================
| Howard Owens
| Web Producer
| InsideVC.com
| mailto:[EMAIL PROTECTED]
| =========================
|
| > -----Original Message-----
| > From: Sharon DiOrio [SMTP:[EMAIL PROTECTED]]
| > Sent: Tuesday, May 16, 2000 12:56 PM
| > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
| > Subject: RE: "You have nice cookies .. mind if I have a look?"
| >
| > Because the web is "stateless", each http request is independent of the
| > previous ones. So the web server (any web server, not just CF) needs a
| > way
| > to establish that multiple http requests belong to the same user.
| > Therefore, session state needs to be maintained either by setting
cookies
| > or by passing a unique ID in URL variables.
| >
| > In Cold Fusion SESSION management, the temporary cookie only contains
CFID
| > and CFToken, values that mean nothing except to the Cold Fusion server
| > that
| > set them, having them stolen is less of a security risk than setting
| > discrete cookies with user specific information.
| >
| > Sharon
| >
| > At 12:44 PM 5/16/2000 -0700, paul smith wrote:
| > >Nope. You only need session vars
| > >to maintain a session state.
| > >You need to set cookies on your
| > >visitor's 'puter if you want them
| > >to be able to login automagically.
| > >
| > >best, paul
| > >
| > >At 03:04 PM 5/16/00 -0400, you wrote:
| > >>I thought cookies had to be enabled for session scoping to work?
| > >
| >
>-------------------------------------------------------------------------
| > --
| > ---
| > >Archives: http://www.eGroups.com/list/cf-talk
| > >To Unsubscribe visit
| > http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
or
| > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
| > the body.
| > >
| >
|
> --------------------------------------------------------------------------
| > ----
| > Archives: http://www.eGroups.com/list/cf-talk
| > To Unsubscribe visit
| > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
| > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
| > the body.
| --------------------------------------------------------------------------
----
| Archives: http://www.eGroups.com/list/cf-talk
| To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
|
|
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
