Re: Linking a cookie to an IP address is a very bad in 2015...

On Thu, Apr 02, 2015 at 09:08:07PM +0200, Walter H. wrote:
> think of the following:
> in my country there existed a bank, that had in its electronic banking 
> no session cookies;
> they had a worse solution,
> the session was stored in the URL, so it was possible not only on 
> another browser or session of the same computer to use this URL
> also on another computer, because, the WAN address was the same  ...

You will never get rid of developers who do crap until they are
responsible for the impact of their ignorance or lack of care.

> and now think of MITM, nothing easier than this, you use the same session;
> can you really proof, money is lost, and it was not you?

At least in my country, it's the bank who needs to prove it was me. That
makes a huge difference because they go to great length analysing fraud
and take security with seriousness.


Received on Thursday, 2 April 2015 19:33:11 UTC