[unisog] in memory cookie safe from theft ??
pmeunier at purdue.edu
Tue Mar 11 14:53:05 GMT 2003
On 3/10/03 4:33 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> Fistly thanks to all of you who responded (either on or off the list )
> to my previous query about cookies. I try to respond personally to
> everyone but I've been somewhat busy chasing sendmail and I may have
> missed someone.
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs. I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie.
> The thing I really hate about this is that the security depends on how
> the clients are configured!
> Any comments?
As an addendum to my last post, note that the domains involved do not need
to be identical:
"There is one exception to the same origin rule. A script can set the value
of document.domain to a suffix of the current domain. If it does so, the
shorter domain is used for subsequent origin checks. For example, assume a
script in the document at http://store.company.com/dir/other.html executes
document.domain = "company.com";
After execution of that statement, the page would pass the origin check with
So, any web page from auckland.ac.nz (e.g., a student's web page) *may* be
portal, such as usernames and passwords, depending on the exact domain names
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist
Purdue University CERIAS
656 Oval Drive
West Lafayette, IN 47907-2039
+1 (765) 494-7841 (main)
More information about the unisog