- From: Jonathan Stark <stark@truste.org>
- Date: Mon, 6 Oct 1997 12:12:42 -0700 (PDT)
- To: Keld J|rn Simonsen <keld@dkuug.dk>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> > I recently asked about how you could use cookies to make some > lightweight security, and got the answer that cookies are easy to spoof > and thus very insecure. You can just as a server ask for another servers > cookie, and then you can spoof the original server. > > My idea was that this kind of spoofing could be prevented, if > the client stored the cookie with an identification of the server. > Then to spoof you need to do IP spoofing, which can be done, > but which is close to being criminal. > > Is that something to list in a "best practice" section somewhere? > > keld > This concept works well with static IP addresses, but totally breaks when you get a different dynamically allocated IP address the next time you dial into your ISP. The IP is different, but no spoofing has occured, and the cookie is valid. Jonathan
Received on Monday, 6 October 1997 12:39:18 UTC