Claude, There is literally nothing (not a single thing) that is "off limits" on the client side. You cannot trust or believe the browser is in any way shape or form a secure environment and you must assume that things like cookies can and will be hacked and experimented with. This is why it is important that variables be tied to temporary entities on the client side (like expiring session cookies) as you mention below. Beyond that your conclusions are correct and scary - but the alternative is probably to close up shop and move to a cabin in Montana :)
-Mark -----Original Message----- From: Claude Schnéegans <schneeg...@internetique.com> [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans <schneegans@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?=] Sent: Wednesday, September 03, 2014 10:29 PM To: cf-talk Subject: Re: OT, but stil... >>They don't call it Malware for nothing Ok, but if a malware does "mal" to a moron client side, in a pinch, this is not our problem, but if it can get pass words so easily, it can also do mal to any server any time. I just got one tonite that allows itself to define cookies under MY domain! If it can store cookies, it can also read cookies, including session cookies! With the session Id, it does not even need the password. I'd like to detect all pieces of javascript code defined in a document and check if they are mine. I was thinking of document.getElementsByTagName, but I'm not even sure all parasit code will actually have a <SCRIPT tag. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm