James A. Donald:
> > Which is fine provided your code, rather than the framework 
> > code provided the cookie, and provided you generated the 
> > cookie in response to a valid login, as Ben Laurie does.. 
> > The framework, however, generally provides insecure 
> > cookies.

Ng Pheng Siong:
> Dynamic programming environments like Lisp, Smalltalk and 
> Python allow the application programmer to replace parts of a 
> framework with other code easily.

The word "environment", like "framework" is overloaded.   I had 
in mind such frameworks as PHP, struts, and ASP.   mod_perl 
makes you do your own damn cookie management as far as I know,
and so would not in itself cause the session fixation problem,
though programmer error might very easily cause it. 

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to