WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: "Darragh O'Brien" <dobrien () computing dcu ie>
Date: Tue, 27 Jul 2004 15:53:31 +0100
I have come across this same issue with a number of websites. Do existing website vulnerabiltiy scanners check for such problems? Thanks, Darragh On Tuesday 27 July 2004 15:28, Konstantin Ryabitsev wrote:
On Tue, 2004-07-27 at 10:20 -0400, Stan Guzik wrote:Once you enter the site they set their cookie without SSL. This is not a good practice because it leaves the cookie (maybe session management) open to a sniffing attack.This is indeed a valid concern, but a separate issue. If you got a session cookie over cleartext, then authenticated over SSL, your session can be compromised if the same session is used to identify you past- login. Regards,
Current thread:
- RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)