That is incorrect. That is indeed true for a regular cookie, bit that has all kimds of problems. I was referring to actual signed cookies.
On Jul 31, 9:56 am, mdipierro <[email protected]> wrote: > There is a difference. > > If you have a uuid sessions cookie and a serverside session and an > attacker hijacks the cookie, he can only get access to the account of > the compromised user. > > If the session is stored client side and the attackers hijacks the > cookie, he can tamper with the data in the session and, depending on > what the session cookie stores, may get access to more than data of > the compromised user. > > Massimo > > On Jul 31, 1:58 am, Armin Ronacher <[email protected]> > wrote: > > > > > Hi, > > > On Jul 31, 2:38 am, Scott <[email protected]> wrote:> I do not agree > > with item 1. Session data should never be stored > > > client-side as it opens a rather large attack vector. > > > Which attack vector exists for signed cookies with a signed timeout > > compared to just session IDs in cookies? Both can be hijacked by a man > > in the middle. > > > Regards, > > Armin
