W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

spoofing cookies

From: Keld J|rn Simonsen <keld@dkuug.dk>
Date: Mon, 6 Oct 1997 21:02:38 +0200
Message-Id: <199710061902.VAA27734@dkuug.dk>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I recently asked about how you could use cookies to make some
lightweight security, and got the answer that cookies are easy to spoof
and thus very insecure. You can just as a server ask for another servers
cookie, and then you can spoof the original server. 

My idea was that this kind of spoofing could be prevented, if
the client stored the cookie with an identification of the server.
Then to spoof you need to do IP spoofing, which can be done,
but which is close to being criminal.

Is that something to list in a "best practice" section somewhere?

keld
Received on Monday, 6 October 1997 12:06:19 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT