I am a bad hacker and watching your line. I see cookies A and B go to you.
I set cookies A and B in my web browser. I am now you. You can try to
permute the cookies with IP# (breaks on proxies) or Browser type, but all
cookie based approaches believe in the value of something sent cleartext.
Or use SSL.
-j
On Thu, Apr 27, 2000 at 12:34:30PM -0700, Nick Tonkin wrote:
> On Thu, 27 Apr 2000, Marc Slemko wrote:
>
> > Cookies are not secure and will never be secure. They may be "good
> > enough", and you may not have much choice, but they are still simply not
> > secure when you put everything together.
>
> Can you be more specific about why you say that? If I set an encrypted,
> short-lived cookie upon validated authentication, why is that any less secure than
>any
> of the other approaches you mentioned?
>
>
> - nick
>
