I've not followed this conversation, but I feel I should interject a bit. On 4/29/07, Thom McGrath <[EMAIL PROTECTED]> wrote: > Cookies don't behave that way. They are not a security risk. They > only allow websites to lookup data which was already sent you from > the same site. Your example simply doesn't work.
This is not entirely true. Cookies can (and should) be limited to the originating site, but this is not always the case. To me, this is much like how your REALbasic applications should always run at the lowest possible permissions at any given time: The cookies you create should be limited to only your domain and the relevant path. Furthermore, while they are not always a security risk, they most definitely can be. Cookies, IHMO, should really only be used for storing session information or the like. I only use cookies for storing a unique ID that indexes into a table as relevant to the website and database (though I do incorporate an authorization into the cookie so it can't be falsified). I have seen sites out there that store plaintext username/password combinations into the cookie to facilitate a perpetual login sequence. THAT poses a security risk. > Cookies are very, very, very, very, very rarely a security risk. I > can't even provide personal information to Amazon, and have site x > look it up later. Sites like Amazon -- and really, any service which purports to be professional -- should never share any personally identifiable information via cookies. Not even with itself (eg, a cookie limited to its own domain). HTTP is not a protocol designed with security in mind; cookies were an afterthought hack to provide a sort of fluid data flow across page hits. > The reason cookies are believed to be a security risk is simple. They > are typically stored in a text file on your computer. It is very easy > for a malicious program to look up your Amazon cookies and use that > to log in. But Amazon, and most sites, are not stupid enough to allow > this to actually work. It was an easy trick years ago, which is why > cookies got a bad rap, but these days it would be pointless. I don't agree with this completely, either. I lock my computers down fairly well, but I occasionally find myself on some website that tries to sell me products/services tailored to my location. How did they know to send me ads for St. Cloud, MN? I certainly never provided THEM with that information. The only answer that makes any sense is that there is a cookie stored on my computer that indicates my zip code, and that cookie is readily accessible to sites that know to look for it. As an interesting sidenote, I did for quite some time have Firefox setup to ask me to approve every cookie that wanted to be set. This was a bit annoying at first, but after I approved for sites I trusted and denied for sites I didn't trust (or didn't feel had a valid reason for giving me a cookie, OR for sites that wanted to set a cookie that lasted longer than necessary, eg, 36 years), I found that I never had any data available to advertisers as mentioned above. YMMV. -- -Adam dingostick.com _______________________________________________ Unsubscribe or switch delivery mode: <http://www.realsoftware.com/support/listmanager/> Search the archives: <http://support.realsoftware.com/listarchives/lists.html>
