--
James A. Donald:
> > Which is fine provided your code, rather than the framework 
> > code provided the cookie, and provided you generated the 
> > cookie in response to a valid login, as Ben Laurie does.. 
> > The framework, however, generally provides insecure 
> > cookies.

Ng Pheng Siong:
> Dynamic programming environments like Lisp, Smalltalk and 
> Python allow the application programmer to replace parts of a 
> framework with other code easily.

The word "environment", like "framework" is overloaded.   I had 
in mind such frameworks as PHP, struts, and ASP.   mod_perl 
makes you do your own damn cookie management as far as I know,
and so would not in itself cause the session fixation problem,
though programmer error might very easily cause it. 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     M2QqNF3SbBJ8ZBL5r77vtVp17bYimpkgCZWrCRxA
     4YMBoFimaPGsULDLow0LdwGBbNKGNfrlCjIFpMfYa


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to