[cap-talk] Security considerations for cookies
David Wagner
daw at cs.berkeley.edu
Mon Feb 15 23:29:12 PST 2010
David Wagner wrote:
>Mark Seaborn wrote:
>>Can't these attacks be addressed by the usual means of including a suitably
>>unguessable secret in the URL or POST parameter (which can be checked
>>against the cookie if you want to protect against URL leaks)?
>
>No. Parameters cannot prevent overwriting of cookies.
>Implication: Whatever protocol you layer on top of protocols had
>better be resilient to overwriting of cookies (or at least, to those
>kinds of overwriting that can occur, given your threat model).
I see that I can't write. What I meant to say:
Implication: Whatever protocol you layer on top of *cookies* had
better be resilient to overwriting of cookies (or at least, to those
kinds of overwriting that can occur, given your threat model).
Sorry.
P.S. I hope I'm interpreting what you mean by "these attacks" accurately:
I'm interpreting it to mean "attacks that overwrite cookies".
More information about the cap-talk
mailing list