RE: "You have nice cookies .. mind if I have a look?"

Owens, Howard Tue, 16 May 2000 15:04:22 -0700

Mostly my cookies are just CFID and CFToken.  On some sites, I store a login
ID (a long, random number).  That could only be useful if somebody wanted to
mimic a user.  Since I don't get involved in e-commerce too much, there
isn't much to be gained financially from mimicing a user on my sites.  On
some sites, you could potentially mimic a user and gain access to
information that is not available to the public.

Frankly, if anybody sets up a site to suck cookies from site visitors (I'm
just theorizing), it would seem that they are going to need a lot of site
traffic to make the effort worth the while.  And then they would really only
want to parse out domains where users store their credit card information
and that information is fully displayed to them, and that's not Amazon.  I
supposed, some really malicious person could suck a bunch of Amazon cookie
info and force feed beanie babies to people all over the country.  

Again, I'm just thinking this hack is of extremely limited value.  It's not
good news and it should be fixed but it doesn't seem like a huge threat.
But, then again, the media is going to play it that way.

H. <-- a member of the media


=========================
Howard Owens
Web Producer
InsideVC.com
mailto:[EMAIL PROTECTED]
=========================

> -----Original Message-----
> From: Todd Ashworth [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 16, 2000 1:47 PM
> To:   [EMAIL PROTECTED]
> Subject:      Re: "You have nice cookies .. mind if I have a look?"
> 
> Like I said .. turning off cookies won't save you from someone getting to
> the cookies you already have stored on your machine.  Besides, the problem
> ISN'T with cookies .. it's with crappy MS security .. supprise, supprise.
> Notice how the only people affected by this at all are people using IE and
> Windows ... quite the dynamic duo.  Netscape doesn't have this problem and
> neither do any other operating systems.  I say don't worry about it and
> use
> your cookies .. just, now we have to take on the added responsibility of
> designing our sites to provide Microsoft's cookie security for them.  Now
> ..
> anyone have any usefull ideas on how to do this?
> 
> One thing I can think of is .. the timing of this 'hack' is awkward.
> Someone would have to go to that special URL for the would be 'hacker' to
> get the info in question.  How often do you think that is going to happen?
> One helpful precaution is to expire potentially sensitive cookies as soon
> as
> possible.  If you set the expiration for 30 minutes or so, the chances of
> that cookie getting snagged is small, I would think.  If someone can't
> fill
> out a form in 30 minutes .....
> 
> Anyone have other ideas?
> 
> Todd Ashworth
> Web Application Developer
> (803) 327-0137 [111]
> _____________________________________________
> Ask about our low-cost, 100% user-configurable, turn-key
> web sites that can have your business on the web in minutes!
> Saber Designs - Web sites done right, right now!
> 
> ----- Original Message -----
> From: "Owens, Howard" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, May 16, 2000 4:03 PM
> Subject: RE: "You have nice cookies .. mind if I have a look?"
> 
> 
> |
> | Well, to me, the main issue isn't what CF does or doesn't do with
> cookies
> | ... it's user perception.  This is one more feather in the cap of the
> | anti-cookie maniacs.  What until the media reports this -- "Cookies
> Steal
> | User Identities ... film at 11"  It could get ugly.
> |
> | My latest programming methodolgy has relied on cookies and my attitude
> has
> | been anti-cookie fanatics be damned.  If you disable cookies you can't
> use
> | my site!!!  This whole new security hole undercuts my primary argument:
> | There is nothing wrong with cookies.  Well, now, we find out, there is.
> I
> | don't know if that's going to change much of what I'm doing because the
> | actual value of exploiting this hack is rather slim, it seems to me.
> |
> | I like session vars.  I want to use session vars (not to mention client
> | vars). I shouldn't  need to jump through the hoops of passing session
> vars
> | through URLs and hidden input fields (sort of defeats the purpose,
> doesn't
> | it?).  For now, I'm going to keep using cookies as I've been using them.
> |
> | However ... friggin' frackin' Microsoft!!!!!!!!!!!
> |
> | H.
> |
> | =========================
> | Howard Owens
> | Web Producer
> | InsideVC.com
> | mailto:[EMAIL PROTECTED]
> | =========================
> |
> | > -----Original Message-----
> | > From: Sharon DiOrio [SMTP:[EMAIL PROTECTED]]
> | > Sent: Tuesday, May 16, 2000 12:56 PM
> | > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> | > Subject: RE: "You have nice cookies .. mind if I have a look?"
> | >
> | > Because the web is "stateless", each http request is independent of
> the
> | > previous ones.  So the web server (any web server, not just CF) needs
> a
> | > way
> | > to establish that multiple http requests belong to the same user.
> | > Therefore, session state needs to be maintained either by setting
> cookies
> | > or by passing a unique ID in URL variables.
> | >
> | > In Cold Fusion SESSION management, the temporary cookie only contains
> CFID
> | > and CFToken, values that mean nothing except to the Cold Fusion server
> | > that
> | > set them, having them stolen is less of a security risk than setting
> | > discrete cookies with user specific information.
> | >
> | > Sharon
> | >
> | > At 12:44 PM 5/16/2000 -0700, paul smith wrote:
> | > >Nope.  You only need session vars
> | > >to maintain a session state.
> | > >You need to set cookies on your
> | > >visitor's 'puter if you want them
> | > >to be able to login automagically.
> | > >
> | > >best,  paul
> | > >
> | > >At 03:04 PM 5/16/00 -0400, you wrote:
> | > >>I thought cookies had to be enabled for session scoping to work?
> | > >
> | >
> >-------------------------------------------------------------------------
> | > --
> | > ---
> | > >Archives: http://www.eGroups.com/list/cf-talk
> | > >To Unsubscribe visit
> | > http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
> or
> | > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in
> | > the body.
> | > >
> | >
> |
> >
> --------------------------------------------------------------------------
> | > ----
> | > Archives: http://www.eGroups.com/list/cf-talk
> | > To Unsubscribe visit
> | >
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
> or
> | > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in
> | > the body.
> |
> --------------------------------------------------------------------------
> ----
> | Archives: http://www.eGroups.com/list/cf-talk
> | To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> |
> |
> 
> 
> --------------------------------------------------------------------------
> ----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: "You have nice cookies .. mind if I have a look?"

Reply via email to
