On 4 December 2015 at 14:25, Martin Thomson <martin.thomson@gmail.com> wrote: > Is this a risk that can be mitigated by selecting another character, > say '*' or '~'? I know that people like to use characters that are > valid identifiers in their language of choice, which biases toward '_' > and maybe sometimes '-'. But there are other characters that can be > used in cookie names. > > Just looking at the definition for token, I see: !#$%'*+.^|~ as all > being valid. Obviously, RFC 2068 attached the semblance of a semantic > to '$', so that might be a bit of a mistake, as noted, but absent > information, I'd suggest that you could easily use ~~SECURE=foo and > grab the entire namespace after ~~ (or some other sequence of > characters that look like swearwords...) > > Hah, ~~SECURE looks like it says "approximately secure." I like it. If it's really an issue, I think it makes the most sense to choose something that isn't valid in any language of choice, since there's a good chance someone has used all the valid-looking ones somewhere in some hacky kluge. Cheers -- Matthew Kerwin http://matthew.kerwin.net.au/
Received on Friday, 4 December 2015 05:21:40 UTC