On 4 December 2015 at 14:25, Martin Thomson <martin.thomson@gmail.com>
wrote:
> Is this a risk that can be mitigated by selecting another character,
> say '*' or '~'? I know that people like to use characters that are
> valid identifiers in their language of choice, which biases toward '_'
> and maybe sometimes '-'. But there are other characters that can be
> used in cookie names.
>
> Just looking at the definition for token, I see: !#$%'*+.^|~ as all
> being valid. Obviously, RFC 2068 attached the semblance of a semantic
> to '$', so that might be a bit of a mistake, as noted, but absent
> information, I'd suggest that you could easily use ~~SECURE=foo and
> grab the entire namespace after ~~ (or some other sequence of
> characters that look like swearwords...)
>
>
Hah, ~~SECURE looks like it says "approximately secure." I like it.
If it's really an issue, I think it makes the most sense to choose
something that isn't valid in any language of choice, since there's a good
chance someone has used all the valid-looking ones somewhere in some hacky
kluge.
Cheers
--
Matthew Kerwin
http://matthew.kerwin.net.au/