Date: Fri, 04 Oct 2013 08:11:03 +0200 From: Florian Weimer <fw@...eb.enyo.de> To: oss-security@...ts.openwall.com Subject: Re: A note on cookie based sessions * Kurt Seifried: > That's a problem, but also an inherent limitation of how such session > handling works. The advantages are a stateless backend, no need for > state DB, if you have many backends, especially distributed, logins > just work no matter which server you connect to. The downside is that you rely on cryptography in an essential way, which is never a good idea. > the documentation can maybe be improved (especially mentioning > HTTPS/HSTS to prevent sniffing of the cookie) but generally speaking > this is covered, so no CVEs here. What about applications built on top of those stacks which do not document this? Would they receive a CVE? (Probably no, but I'd like to point out that documentation of features with a security impact is not an absolute thing.)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.