Full Disclosure mailing list archives
Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
From: "Timothy D. Morgan" <tmorgan () vsecurity com>
Date: Sat, 30 Jan 2010 08:19:31 -0800
Hi Arian,
Good points James. I read this paper a few times to make sure I got the point, and it's a cute idea but I just don't see it happening.
Pessimism is understandable; I don't fault you for that.
For multi-node, multi-app, websites sharing auth/state/preferences across multiple web assets (physical servers and logical "websites") this is pretty much a non-starter. Cookies rule here. For a dozen different reasons that I can think of.
Well, I'm sure you read this, but digest auth can do SSO to, arguably better. Whatever wrappers frameworks put around cookies, which are a very simple primitive, can be wrapped around digest auth too.
Always good to try and raise the bar, but the world has voted cookies (thanks Lou!) and I think they are here to stay for at least the next decade.
Definitely, they aren't going away, but we should start phasing them out of authentication. What the replacement is may be up in the air, but the bottom line is: Cookies were a terrible idea for authentication when they were first introduced and they are still a bad idea. We've been hit over the head with this for years.
Oh, yeah, and marketing rules the world, and web sales and marketing (and Google) LOVE cookies. So that is what it is and I really don't see that changing until they can inject a tracking device into your body.
As the paper points out, these business drivers act against making cookie primitives more usable for session management. Thanks for taking the time to read it, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Paper: Weaning the Web off of Session Cookies Timothy D. Morgan (Jan 26)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies James Landis (Jan 28)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Arian J. Evans (Jan 28)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Timothy D. Morgan (Jan 30)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Arian J. Evans (Jan 31)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Timothy D. Morgan (Jan 30)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Arian J. Evans (Jan 31)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Arian J. Evans (Jan 28)
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies James Landis (Jan 28)