[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Gmail/SSL

On Mon, Mar 10, 2008 at 5:47 PM, coderman <coderman@xxxxxxxxx> wrote:
> ...
>  i am referring solely to the auth cookie management

my last comments (to myself :) on this subject for site devs or cookie mungers:

IE since v6 SP1 and firefox 3.x support a 'httponly' cookie option to
prevent scripting access to leak sessions auth.  most web scripting /
libraries already provide this option when sending cookies to the

regarding transparent proxy of SSL/TLS to enforce safe cookie
settings, you have to use a MITM proxy ala webwasher ssl scanner [0].

best regards,

0. Webwasher SSL Scanner

the PKI hijinx required to implement this securely and transparently
is why i called this a pain in the a ss, even if it is the most
effective way to enforce secure only policy.