[unisog] in memory cookie safe from theft ??
sbernard at gmu.edu
Wed Mar 12 01:00:51 GMT 2003
You might want to remind the vendor that this is only true *after* the
user has closed *all* instances of the browser that they were using when
the cookie was set. Once that happens, the in-memory cookie should be
flushed from RAM.
It sounds like you should trust the vendor about as far as you can toss
their product ;)
Russell Fulton wrote:
> Fistly thanks to all of you who responded (either on or off the list )
> to my previous query about cookies. I try to respond personally to
> everyone but I've been somewhat busy chasing sendmail and I may have
> missed someone.
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs. I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie.
> The thing I really hate about this is that the security depends on how
> the clients are configured!
> Any comments?
More information about the unisog