On Mon, 24 Apr 2000, Marc Slemko wrote:
> Don't go holding slashdot up as a great example. They is a perfect
> example of what not to do. Last I checked, and this is probably still
> true, anyone could make a post that, when read, stole the password of the
> user reading it if they were logged in at the time.
>
> slashdot does everything wrong. They allow user posts to be read by
> others without properly filtering or encoding HTML. They use a cookie
> that is simply the user's user id and password, very trivially encoded.
> etc.
Hold yer guns there cowboy! I wasn't saying /. is a great example, just
that a lot of clueful people use that site (or did?), and it has always
used cookies. To say that the majority of clueful users turn off cookies
is just wrong. If anything, clueful users install a junkbuster or
equivalent and let cookies through for sites they want to use them for.
> But, for certain applications, there simply aren't any alternatives that
> don't have more significant problems. You definitely do have to be very
> careful when desigining your use of cookies so you understand what the
> risks are and properly minimize them, but just because there are a couple
> of browser security bugs (and lots have been found in the past, and lots
> will be found and/or announced in the future) doesn't mean any huge
> percentage of users have cookies disabled or that you shouldn't use
> cookies at all.
I'm not aware of any serious cookie security bugs - maybe I missed
them. All the ones I can recall were Javascript ones. I still leave
Javascript on though - but I don't visit a whole lot of sites that would
be malicous.
--
<Matt/>
Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org
