- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Thu, 2 Apr 2015 11:18:30 -0500
- To: Michael Sweet <msweet@apple.com>
- Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Max Bruce <max.bruce12@gmail.com>, Willy Tarreau <w@1wt.eu>, Jim Manico <jim@manico.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
The HttpOnly flag is ... interesting. If a page contains injected scripts, game over, the attacker can do anything as the authorized user. The HttpOnly flag is like, you are walking in a thunderstorm? here, wear this tinfoil hat. Zhong Yu bayou.io On Thu, Apr 2, 2015 at 5:46 AM, Michael Sweet <msweet@apple.com> wrote: > The cookie info should not be accessible to JavaScript if the HttpOnly flag > is specified when the cookie is set... (Unless the browser is seriously > broken...) > > Sent from my iPad > > On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > > Using User-Agent appears to me as more stable than the IP address for sure > :-) > > And to reply to the suggestion of always using SSL (which is probably good > anyway): it is not enough as cookies can be stolen from the browser itself > if an attacker can inject some javascript into the browser (using the good > old cross site scripting for example) > > -éric > > From: Max Bruce <max.bruce12@gmail.com> > Date: mercredi 1 avril 2015 15:57 > To: Willy Tarreau <w@1wt.eu> > Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric > Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> > Subject: Re: Linking a cookie to an IP address is a very bad in 2015... > > That's a great point. What about User-Agent checking? > > On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote: >> >> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote: >> > What about linking to several? I wrote a session system for my Web >> > Server >> > that will only allow access to the original Session ID if the IP & >> > User-Agent has remained unchanged, in order to protect against session >> > hijacking. I've found it's highly effective, unless you IP Spoof. >> >> Sure it's highly effective. Just like it's highly effective in randomly >> denying access to people who browse using multiple WiFi access point or >> who switch between 3G and WiFi. >> >> Willy >> >
Received on Thursday, 2 April 2015 16:18:58 UTC