[E M] | This brings me to the point that cookie based authentication is | unsafe inherently and as far as I can tell not something that | security minded developers would even consider. Eh, you make me curious. What would a security minded developer of, say, a discussion forum where client side certificates is not an option use instead of cookies? I guess you won't say URL paramters, so I am really curioius. My opinion is that the cookies are fine. It is the output of scripts that needs addressing. A security minded developer would make a framework that did not permit HTML (that is: washed, sanitized, escaped, recoded, HTML encoded -- choose your favourite slang) tags from any data, except from the templates of the pages. Oh, well. Friday night, just upgraded from ancient glibc 2.1.94 to 2.2.5 and had a few beers to give me courage to do the upgrade, so my opinions may not even be worth the usual two cents at the moment. Sverre. -- shhat_private Play my free Nerd Quiz at http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 13:47:48 PST