[unisog] in memory cookie safe from theft ??

Steve Bernard sbernard at gmu.edu
Wed Mar 12 01:00:51 GMT 2003


You might want to remind the vendor that this is only true *after* the 
user has closed *all* instances of the browser that they were using when 
the cookie was set. Once that happens, the in-memory cookie should be 
flushed from RAM.

It sounds like you should trust the vendor about as far as you can toss 
their product ;)


Steve


Russell Fulton wrote:
> Hi,
> 	Fistly thanks to all of you who responded (either on or off the list )
> to my previous query about cookies.  I try to respond personally to
> everyone but I've been somewhat busy chasing sendmail and I may have
> missed someone.
> 
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.  I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie. 
> 
> The thing I really hate about this is that the security depends on how
> the clients are configured!
> 
> Any comments?
> 



More information about the unisog mailing list