• To: Rich Salz <rsalz@d...>
• Subject: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
• From: Elliotte Rusty Harold <elharo@m...>
• Date: Wed, 7 Jan 2004 17:16:53 -0500
• Cc: Berend de Boer <berend@x...>,"xml-dev@l..." <xml-dev@l...>
• In-reply-to: <Pine.LNX.4.44L0.0401071614110.11874-100000@s...>
• References: <Pine.LNX.4.44L0.0401071614110.11874-100000@s...>

At 4:15 PM -0500 1/7/04, Rich Salz wrote:

>No.  I'm saying without rest I send it once, store it at the server,
>use a cookie to refer to it in future transactions.

Is the cookie sent unencrypted? If so, and we're not using SSL (as is 
the case in many cookie scenarios) what, if anything, prevents an 
attacker from snarfing the authentication cookie as it makes its way 
back from the client to the server (or in the other direction) and 
adding that to its own requests to the same server?

I hope there's something that prevents this. There must be. Otherwise 
this is a huge, gaping security hole much bigger than anything we've 
been arguing about, and I would think it would have lots of practical 
exploits on the Web today. Please tell me there's some reason this 
attack won't work.
-- 

   Elliotte Rusty Harold
   elharo@m...
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA

• Follow-Ups:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Participation
    • From: Rich Salz <rsalz@d...>

• References:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Participation
    • From: Rich Salz <rsalz@d...>

• Prev by Date: Re: Re: Cookies at XML Europe 2004 -- CallforParticipation
• Next by Date: Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
• Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• Index(es):
  • Date
  • Thread