[cap-talk] Security considerations for cookies
Bill Frantz
frantz at pwpconsult.com
Tue Feb 16 17:40:18 PST 2010
w3c at adambarth.com (Adam Barth) on Monday, February 15, 2010 wrote:
>On Mon, Feb 15, 2010 at 11:15 PM, David Wagner <daw at cs.berkeley.edu> wrote:
>> A related threat is that an arbitrary site may be able to delete
>> all cookies, even of other sites.
>> http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html
>> Implication: Whatever protocol you use that uses cookies ought to
>> be resilient to malicious deletion of cookies. I'm not sure if this
>> was mentioned in Adam's document.
>
>Good point. I've added this text:
>
>[[
> <t>Finally, an attacker might be able to force the user agent to
> delete cookies by storing large number of cookies. Once the user agent
> reaches its storage limit, the user agent will be forced to evict some
> cookies. Servers SHOULD NOT rely upon user agents retaining
> cookies.</t>
>]]
Even stronger, Safari has a UI for deleting cookies. I use it frequently.
If I weren't so lazy I might have a program to mutate them instead. :-)
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
More information about the cap-talk
mailing list