[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
On Mon, Mar 10, 2008 at 5:47 PM, coderman <coderman@xxxxxxxxx> wrote:
> i am referring solely to the auth cookie management
my last comments (to myself :) on this subject for site devs or cookie mungers:
IE since v6 SP1 and firefox 3.x support a 'httponly' cookie option to
prevent scripting access to leak sessions auth. most web scripting /
libraries already provide this option when sending cookies to the
regarding transparent proxy of SSL/TLS to enforce safe cookie
settings, you have to use a MITM proxy ala webwasher ssl scanner .
0. Webwasher SSL Scanner
the PKI hijinx required to implement this securely and transparently
is why i called this a pain in the a ss, even if it is the most
effective way to enforce secure only policy.