The above is assuming that https is being used. Thanks Pieter
On 12/07/2013 10:32, Pieter Martin wrote: > I would also like to know about this. > > However is stealing a cookie not the same as getting access to the users > computer? > > Cheers > Pieter > > On 12/07/2013 09:53, Johanneke Lamberink wrote: >> So, as far as I can see, the Restlet CookieAuthenticator takes care of >> session fixation by generating a new value for the cookie on every request >> (encrypting the username/password/timestamp). >> >> But what about session hijacking? If every cookie contains the username and >> password, someone who got hold of a cookie could use it to log in, right? So >> when my cookie gets stolen, it can still be used after I logged out and my >> browser deleted the cookie, because the attacker still has the cookie. >> >> I have implemented a check on the time the cookie was issued, but an >> attacker could do periodic requests t make sure his stolen cookie never gets >> old. >> >> How do I protect against this? Every blog and tutorial I find just tells me >> to put the session id in the session and discard it after logout. But I >> don't have a session to store to or discard from, because the server is >> stateless... >> >> ------------------------------------------------------ >> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060314 >> >> ____________________________________________________________________________________ >> Save with Super Cheap Insurance and your premium reduces monthly! >> http://click.lavabit.com/s46kjm8zs9rqxeich1cbdc5unbm5o8qyhchpswgr4w9o9uemacfy/ >> ____________________________________________________________________________________ > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060317 > > ____________________________________________________________________________________ > Your personal email. Anytime, anywhere. > Ridiculously affordable at $19.95. No contracts. > http://www.getpeek.com/lavabit.html > ____________________________________________________________________________________ ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060322