- From: Keld J|rn Simonsen <keld@dkuug.dk>
- Date: Mon, 6 Oct 1997 21:02:38 +0200
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I recently asked about how you could use cookies to make some lightweight security, and got the answer that cookies are easy to spoof and thus very insecure. You can just as a server ask for another servers cookie, and then you can spoof the original server. My idea was that this kind of spoofing could be prevented, if the client stored the cookie with an identification of the server. Then to spoof you need to do IP spoofing, which can be done, but which is close to being criminal. Is that something to list in a "best practice" section somewhere? keld
Received on Monday, 6 October 1997 12:06:19 UTC