On Sun, Jan 4, 2009, MajorProgamming <[email protected]> wrote: > [...] > 1. Use my own custom system: > Suppose I have the user log in and then set a "logged in" cookie -- > through ssl. Would that cookie then be accessible to the non-ssl pages > of my site? > Is there any possible security breaches that I have to worried about > when using this method?
Here are some pointers that you may find helpful. RFC 2965 and specifically the description of the Secure attribute on page 7 http://tools.ietf.org/html/rfc2965#page-7 Some Mozilla documentation: https://developer.mozilla.org/En/DOM:document.cookie Some Microsoft docs (not sure how relevant they are though): http://msdn.microsoft.com/en-us/library/aa384321(VS.85).aspx http://msdn.microsoft.com/en-us/library/ms533693.aspx The Doctype article "Compartmentalizing applications within the same domain" http://code.google.com/p/doctype/wiki/ArticleCompartmentalizingApplications#Use_the_secure_Cookie_Attribute "Cookie Forcing", a blog post by Chris Evans, who is a great security researcher. In it he describes an important attack on HTTPS connections using cookies. The result is that you can't trust any cookies even when you're transmitting them over HTTPS. http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html There are a lot more of security issues that every web developer should worry about. If you are unsure what they are, you may wish to explore this topic in some depth. Here are my favorite starting points: Doctype collection of articles on web security (most informative!): http://code.google.com/p/doctype/wiki/ArticlesXSS Stanford Web Security Research page: http://crypto.stanford.edu/websec/ And the paper "Robust Defenses for Cross-Site Request Forgery" (2008) by A. Barth, C. Jackson, and J. C. Mitchell http://crypto.stanford.edu/websec/csrf/ -- Alexander --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
