- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 2 Apr 2015 21:32:43 +0200
- To: "Walter H." <Walter.H@mathemainzel.info>
- Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Thu, Apr 02, 2015 at 09:08:07PM +0200, Walter H. wrote: > think of the following: > in my country there existed a bank, that had in its electronic banking > no session cookies; > they had a worse solution, > the session was stored in the URL, so it was possible not only on > another browser or session of the same computer to use this URL > also on another computer, because, the WAN address was the same ... You will never get rid of developers who do crap until they are responsible for the impact of their ignorance or lack of care. > and now think of MITM, nothing easier than this, you use the same session; > can you really proof, money is lost, and it was not you? At least in my country, it's the bank who needs to prove it was me. That makes a huge difference because they go to great length analysing fraud and take security with seriousness. Willy
Received on Thursday, 2 April 2015 19:33:11 UTC