RE: netscape

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Paul Danckaert: "RE: netscape"
• Previous message: Forrest Aldrich: "Re: netscape"

I am sure Netscape is aware of it considering Cookies are a feature not =
a bug.  What this really allows you to do is maintain client information =
in a connectionless client.  In short, any server can write data to your =
cookie file.  When you connect to that site in the future, based on the =
parameters in the cookie file, you client will then feed the cookie =
information back to the host.  There are security considerations =
implemented in Netscape and others that prevent misuse.   For instance, =
the server can only set cookies of a certain length.  Several paramaters =
are required such as time to live.  And the server can only set cookies =
at the .domain.domain level, and they must match the servers site.  =
Meaning, Cookies have to be set to the host level and have at leat 2 =
periods in the address.  Also, this prevents my site from adding a =
cookie to your site.

Again, all of this is mute considering the information is not taken from =
a client, but given by the client whenever browsing a host that matches =
an entry in the cookies file.  The server then can get the information =
from the server's environment under $ENV{"HTTP_COOKIES"}.  The only =
security problem I see is servers using this information to cache and =
automatically parse a users password for their site.  However, this is =
no less secure than using .htaccess files or their equiv considering =
they are clear text as well.  However, there is a secure option in =
cookies that will let the client know to only transmit the cookie when =
connected to a secure server.

A couple of sites with more info are:

        http://www.emf.net/~mal/cookiesinfo.html
        http://www.illuminatus.com/cookie

Cheers,

Tim

[ Quoted Item Deleted - RuF]

• Next message: Paul Danckaert: "RE: netscape"
• Previous message: Forrest Aldrich: "Re: netscape"