Indeed, but surely the cookie information stored should be dependant on the user's authentication details? It makes sense to use semi-dynamic cookie information like this, making holes like this one a little more hard to 'gain and keep' access.
> there is a [x] box.. > > "Don't ask for my password for 2 weeks." > > this sets the users cookie. Gmail uses the cookie for authentication. > > >>XSS holes are not (as we all know) an immediate bypass for >> any authentication. > right > >>It can be used, with a bit of work, to steal >> cookies/authentication data from unexpecting users, NOT as an immediate >> break-into-accounts kiddie tool. > right > >> However, the interesting thing I found about this article was this line: >> "regardless of whether or not the password is subsequently changed" >> >> Does Gmail use some sort of static security key? >> Does anyone have any further details on the security implemented by >> Google >> in their new service? > see above. > > > m.wood >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
