On Mon, 24 Apr 2000, Matt Sergeant wrote:
> On Sat, 22 Apr 2000, dreamwvr wrote:
>
> > hi,
> > most likely you will want to shut down cookies and use another method as per
> > advisories that currently there is a problem with javascript and cookies when
> > both enabled. b.t.w. exploder has simular problems so since javascript is nice
> > to have cookies are a problem these days. besides most clueful users these days
> > have cookies turned off..
>
> I don't think that's true. Even supposedly clueful sites like slashdot
> have used cookies from day 1 (back when most of its visitors _were_
> clueful).
Don't go holding slashdot up as a great example. They is a perfect
example of what not to do. Last I checked, and this is probably still
true, anyone could make a post that, when read, stole the password of the
user reading it if they were logged in at the time.
slashdot does everything wrong. They allow user posts to be read by
others without properly filtering or encoding HTML. They use a cookie
that is simply the user's user id and password, very trivially encoded.
etc.
But, for certain applications, there simply aren't any alternatives that
don't have more significant problems. You definitely do have to be very
careful when desigining your use of cookies so you understand what the
risks are and properly minimize them, but just because there are a couple
of browser security bugs (and lots have been found in the past, and lots
will be found and/or announced in the future) doesn't mean any huge
percentage of users have cookies disabled or that you shouldn't use
cookies at all.
