[Zope-dev] [patch] More secure cookie crumbler?
Chris Withers
lists at simplistix.co.uk
Mon Apr 12 09:11:17 EDT 2004
Jamie Heilman wrote:
> The problem of using cookies for auth creds is a little more complex
> than that. The reality is, in a well written application, cookies
> should never be used to store auth creds, even if you only send them
> over SSL.
The patch means that auth creds are never sent, only an auth token that's valid
for 20 mins or so, or you could set it to less.
> The reason is that client side scripting languanges are
> usually permitted access to cookie structures whereas they are
> explicitly forbidden access to auth cred structures. This is one of
> the main things that makes cross-site scripting attacks dangerous.
Can you explain the XSS risk when a client user is not permitted to write HTML
content to be stored by the app?
> restrictions, etc. but few people will go through the trouble, and I'd
> wager most people using the various cookie-based auth folder products
> don't even know the risks.
This I'd agree with, but I find the argument "this car's breaks only let me stop
in 1 mile, so there's no point in changing them so I can stop in 0.5 miles" a
poor one...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list