durusmail: quixote-users: a small patch
a small patch
2002-10-08
2002-10-08
2002-10-09
2002-10-09
2002-10-09
2002-10-09
2002-10-10
2002-10-10
2002-10-10
a small patch
Greg Ward
2002-10-10
On 09 October 2002, Mikhail Sobolev said:
> You know, there are people called paranoid.  But being paranoid does not
> mean they do not watch you. :)  Seriously, I consider it a security flaw
> when catching a session cookie may allow a men-in-the-middle to access
> some sensitive information.

OK, you've convinced me: this is a potentially valuable feature for
sites that are more worried about stolen session cookies than about
making life difficult for users.  Everyone should pick their own point
on the security/convenience continuum, after all.

> From the other hand, I did not
> hear your thoughts for getting rid of this feature, maybe you somehow
> addressed this already.

We decided to remove the feature because no one was using it.  The
evidence for this was that it was broken in 0.5 (after I reorganized
session management), and it was quite a while before anyone noticed --
and it was Jon, the original author of the patch, who eventually
noticed.  Then several months went by before someone else -- you --
noticed.

> I also believe that in Jon's case (lwn.net) the main aim is to make the
> whole process rather pleasant for the visitors, so this check would be
> unnecessary as [I believe] no that sensitive information is stored
> anywhere.

Yep -- I don't think the consequences of stealing an lwn.net session
cookie would be disastrous.  (Jon?)  That's not the case for all sites.

        Greg
--
Greg Ward - software developer                gward@mems-exchange.org
MEMS Exchange                            http://www.mems-exchange.org


reply