Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 04 Oct 2013 08:11:03 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: A note on cookie based sessions

* Kurt Seifried:

> That's a problem, but also an inherent limitation of how such session
> handling works. The advantages are a stateless backend, no need for
> state DB, if you have many backends, especially distributed, logins
> just work no matter which server you connect to.

The downside is that you rely on cryptography in an essential way,
which is never a good idea.

> the documentation can maybe be improved (especially mentioning
> HTTPS/HSTS to prevent sniffing of the cookie) but generally speaking
> this is covered, so no CVEs here.

What about applications built on top of those stacks which do not
document this?  Would they receive a CVE?  (Probably no, but I'd like
to point out that documentation of features with a security impact is
not an absolute thing.)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.