On 09 October 2002, Mikhail Sobolev said: > You know, there are people called paranoid. But being paranoid does not > mean they do not watch you. :) Seriously, I consider it a security flaw > when catching a session cookie may allow a men-in-the-middle to access > some sensitive information. OK, you've convinced me: this is a potentially valuable feature for sites that are more worried about stolen session cookies than about making life difficult for users. Everyone should pick their own point on the security/convenience continuum, after all. > From the other hand, I did not > hear your thoughts for getting rid of this feature, maybe you somehow > addressed this already. We decided to remove the feature because no one was using it. The evidence for this was that it was broken in 0.5 (after I reorganized session management), and it was quite a while before anyone noticed -- and it was Jon, the original author of the patch, who eventually noticed. Then several months went by before someone else -- you -- noticed. > I also believe that in Jon's case (lwn.net) the main aim is to make the > whole process rather pleasant for the visitors, so this check would be > unnecessary as [I believe] no that sensitive information is stored > anywhere. Yep -- I don't think the consequences of stealing an lwn.net session cookie would be disastrous. (Jon?) That's not the case for all sites. Greg -- Greg Ward - software developer gward@mems-exchange.org MEMS Exchange http://www.mems-exchange.org