> To play devil's advocate, pure cookie based authentication is not a
> panacea. If you allow users to put things like javascript on your site,
> or if you have users who exploit ie bugs like the about: cookie domain
> bug from last year, cookies can be stolen and session hijacked. pure
> cookie auth is definitely a good thing, but does not provide safety in a
> number of 'real world' applications.
Yes, I pointed that out in an earlier discussion about this
topic. A online-banking site could for example check the
browser for certain types of common vulnerabilities and post
a nice "please upgrade" dialogue.
This would exclude IE by default though, because there are
quite a load of unfixed, publically known security bugs.
http://www.jscript.dk/unpatched/ listed them, but the page
seems to be down now. Google still finds
http://www.jscript.dk/unpatched/MS02-023update.html
"Yesterday I hosted a list of 14 publickly known unpatched
vulnerabilities, today I host a list of 12 such. It can still
be found at http://jscript.dk/unpatched/
- Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
