[PHP] Cookie Guestion
I am still new to web programing but I have a lot of experience in developing non web based applications. So I think I am a reasonably clever programmer and I have now done enough web programming that I understand the cookie mechanism. What I can't figure out is why so many people are paranoid about cookies. I don't really see much of anything that can be done with cookies to invade someones privacy. Am I missing something here? Chris W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie Guestion
From: Chris W [EMAIL PROTECTED] I am still new to web programing but I have a lot of experience in developing non web based applications. So I think I am a reasonably clever programmer and I have now done enough web programming that I understand the cookie mechanism. What I can't figure out is why so many people are paranoid about cookies. I don't really see much of anything that can be done with cookies to invade someones privacy. Am I missing something here? Exactly. The problem isn't the mechanism, it's the implementation by the programmer. If you save my favorite color in a cookie, no big deal. If you save my username and password in a cookie, that is a big deal. Cookies are sent back and forth between the web server and client in plain text, so it can be captured. The other thing to realize is that cookies can be changed; they come from the client. So if you set my id to 555 in a cookie and that determines who I am for you site, I can change the id to 333 and become another person. Again, it's a problem with the implementation by the program, not cookies themselves. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie Guestion
CPT John W. Holmes wrote: From: Chris W [EMAIL PROTECTED] I am still new to web programing but I have a lot of experience in developing non web based applications. So I think I am a reasonably clever programmer and I have now done enough web programming that I understand the cookie mechanism. What I can't figure out is why so many people are paranoid about cookies. I don't really see much of anything that can be done with cookies to invade someones privacy. Am I missing something here? Exactly. The problem isn't the mechanism, it's the implementation by the programmer. If you save my favorite color in a cookie, no big deal. If you save my username and password in a cookie, that is a big deal. Cookies are sent back and forth between the web server and client in plain text, so it can be captured. The other thing to realize is that cookies can be changed; they come from the client. So if you set my id to 555 in a cookie and that determines who I am for you site, I can change the id to 333 and become another person. Again, it's a problem with the implementation by the program, not cookies themselves. And don't forget the effect media hype had on their reputation. Cookies were portrayed as bad guys. As John says, they're not if they're used correctly, but it only takes one high-profile example of improper use to tarnish a reputation forever. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie Guestion
From: Stuart [EMAIL PROTECTED] And don't forget the effect media hype had on their reputation. Cookies were portrayed as bad guys. As John says, they're not if they're used correctly, but it only takes one high-profile example of improper use to tarnish a reputation forever. And as that reputation is reduced, more people may turn them off. Another key point to realize is that the acceptance and transmittal of cookies is a client decision. You shouldn't rely on them or at least be aware of the possible problems if you do. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie Guestion
--- CPT John W. Holmes [EMAIL PROTECTED] wrote: I am still new to web programing but I have a lot of experience in developing non web based applications. So I think I am a reasonably clever programmer and I have now done enough web programming that I understand the cookie mechanism. What I can't figure out is why so many people are paranoid about cookies. I don't really see much of anything that can be done with cookies to invade someones privacy. Am I missing something here? Exactly. The problem isn't the mechanism, it's the implementation by the programmer. If you save my favorite color in a cookie, no big deal. If you save my username and password in a cookie, that is a big deal. Ditto what John said. In addition, you might want to research DoubleClick and Web bugs (two separate things) as well as understand a bit how a browser requests all of the resources necessary to render a page. As for why people are paranoid, I think you will find out if you search for cookies and read what sort of information is out there. In fact, aside from the original Netscape specification, I don't think I've read anything online about cookies that wasn't full of misinformation. Finally, you may want to check out the following two URLs: http://www.peacefire.org/security/iecookies/ http://www.solutions.fi/index.cgi/news_2001_11_08?lang=eng Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php