[web-devel] HttpOnly
Gregory Collins
greg at gregorycollins.net
Thu Jun 30 17:56:27 CEST 2011
On Thu, Jun 30, 2011 at 10:39 AM, Chris Smith <cdsmith at gmail.com> wrote:
> On Jun 30, 2011 8:25 AM, "Chris Smith" <cdsmith at gmail.com> wrote:
>> The kinds of cookies generated by clientsession are not really vulnerable
>> to
>> cookie-stealing attacks anywa due to the encryption that goes on [...]
>
> On further thought, I'm wrong about this... but the conclusion is the same;
> those cookies definitely ought to be setting the http-only flag.
Yeah, even if the cookie is an opaque blob it could be vulnerable to
time-limited replay attack. Not worth it.
G
--
Gregory Collins <greg at gregorycollins.net>
More information about the web-devel
mailing list