in memory cookie safe from theft ??

Russell Fulton r.fulton at auckland.ac.nz
Mon Mar 10 21:33:05 GMT 2003


Hi,
	Fistly thanks to all of you who responded (either on or off the list )
to my previous query about cookies.  I try to respond personally to
everyone but I've been somewhat busy chasing sendmail and I may have
missed someone.

The vendor of the software (this isn't something we have control over :(
) says that since the cookie isn't written to disk the cookie isn't
vulnerable to being stolen via XSS bugs.  I can see that this definitely
makes it more difficult but my gut feeling is that there are ways to
trick the brower into giving up the cookie. This is particularly so if
the web site with the XSS 'bug' is in the same domain as the site that
issued the cookie. 

The thing I really hate about this is that the security depends on how
the clients are configured!

Any comments?

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list