Thank you Atrix, To get you closer to your answer Nicholas:
> > Many sites autheticate you when you return by reading > cookies set during a previous visit. If this cookie > is readable by other sites when you visit those sites, > isn't this data vulnerable? > > > > Amazon, for one, knows your name when you return - because > they've linked your account to your cookie. I don't > know if they allow you to purchase things without > further authentication but, if they did, details of your > cookie would give someone access to your account > > > > How are other developers dealing with this? Is this an > issue we should consider? > By default, the personal (sensitive) User variables you assign in Witango are strictly managed via the unique <@USERREFERENCE> key issued in a session-cookie, and this unique key is only available to the site that assigned it (for the life of the current Browser session). The <@USERREFERENCE> key may exist temporarily in memory on the user's computer - put the variables themselves do not (they live on the Server). A site like Amazon has to "deliberately" assign those account cookies to not expire for a very long time, and can then therefore control which affiliate sites have access to this information about you. In some cases a site these commercial sites may just set their unique key in the cookie, but sometimes they also set the user's personal information their too. For large commercial sites, that have affiliate sites that share customer data, you are totally at the mercy of their privacy policy. >From a security point of view, many vulnerabilities have been discovered and patched by the various Browser makers with regards to cookies - but this has nearly always been about accessing the cookies stored on the harddrive (which are regular cookies, not session-cookies). >From what I understand, rogue or malicious programs or hackers have had very little success in accessing dynamically assigned values in computer memory (with dynamic memory addresses), which is where session-cookies live. ----- So what am I trying to say? By default, the personal data of your Witango site visitors and customers is the safest it can be. (Keeping in mind that nothing is 100% safe on the internet [even with SSL]) You have to deliberately code your cookies to make them accessible by other sites (and potentially to unauthorized eyes) - so just proceed cautiously and learn how cookies work properly, before venturing into this new jar. Hope this works. Cheers... Scott Cadillac, XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] Well-formed Development -- Extranet solutions using C# .NET, Witango, MSIE and XML > -----Original Message----- > From: Atrix Wolfe [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 10:12 AM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: cookies > > > Well heres what Scott said about session cookies: > > These cookies are not saved to any local Folders or > harddrive, and only > reside in memory during the current Browser window session (a virtual > cookie-jar). > > These cookies only pass back their data to the Domain that > assigned them, so > they are safe from capture by all other domains. Which is why Session > Cookies are not considered the same thing as regular cookies, because > regular cookies can be captured by other sites. Regular > Cookies are what > those Marketing guys with the annoying popup adds are using. > > > > ----- Original Message ----- > From: "Nicholas Froome" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, July 31, 2003 6:04 AM > Subject: RE: Witango-Talk: cookies > > > > This is the longest thread I've seen on this list re > Cookies, and very > welcome it is too > > > > Many sites autheticate you when you return by reading > cookies set during a > previous visit. If this cookie is readable by other sites > when you visit > those sites, isn't this data vulnerable? > > > > Amazon, for one, knows your name when you return - because > they've linked > your account to your cookie. I don't know if they allow you > to purchase > things without further authentication but, if they did, > details of your > cookie would give someone access to your account > > > > How are other developers dealing with this? Is this an > issue we should > consider? > > > > > ______________________________________________________________ > __________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
