[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100130161931.GG1331@sentinelchicken.org>
Date: Sat, 30 Jan 2010 08:19:31 -0800
From: "Timothy D. Morgan" <tmorgan@...curity.com>
To: "Arian J. Evans" <arian.evans@...chronic.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Webappsec] Paper: Weaning the Web off of
Session Cookies
Hi Arian,
> Good points James. I read this paper a few times to make sure I got
> the point, and it's a cute idea but I just don't see it happening.
Pessimism is understandable; I don't fault you for that.
> For multi-node, multi-app, websites sharing auth/state/preferences
> across multiple web assets (physical servers and logical "websites")
> this is pretty much a non-starter. Cookies rule here. For a dozen
> different reasons that I can think of.
Well, I'm sure you read this, but digest auth can do SSO to, arguably
better. Whatever wrappers frameworks put around cookies, which are a
very simple primitive, can be wrapped around digest auth too.
> Always good to try and raise the bar, but the world has voted cookies
> (thanks Lou!) and I think they are here to stay for at least the next
> decade.
Definitely, they aren't going away, but we should start phasing them
out of authentication. What the replacement is may be up in the air,
but the bottom line is: Cookies were a terrible idea for
authentication when they were first introduced and they are still a
bad idea. We've been hit over the head with this for years.
> Oh, yeah, and marketing rules the world, and web sales and marketing
> (and Google) LOVE cookies. So that is what it is and I really don't
> see that changing until they can inject a tracking device into your
> body.
As the paper points out, these business drivers act against making
cookie primitives more usable for session management.
Thanks for taking the time to read it,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists