Re: How to protect against cookie stealing?

Why are people going off on increasingly wild and completely impractical and horribly insecure tangents ("hey, lets just create an activex control that the user installs that uses their MAC address for security") without once mentioning the fact that the net impact of cross site scripting attacks (and related cross domain validation type bugs in browsers) is NOT just the ability to steal cookies, it is the ability to completely control the user's interaction with the site, if a client side scripting language such as javascript is enabled.

The authentication token is not the holy grail: I don't need a user's cookie or SSL certificate or cereal box decoder ring if I can just tell their browser to jump through a given series of actions on a site and then send the results off via a HTTP request to some other site.

Don't get me wrong, ensuring your authentication scheme is secure against a variety of attacks is good. But don't forget the bigger picture. Received on Sun Jul 27 17:11:36 2003