[thesite] UEUE v0.4 - Circumventing the cookie scr1ptk1dd1es
Simon Coggins
ppxsjc1 at nottingham.ac.uk
Tue Dec 18 09:51:39 CST 2001
> In a nutshell the solution to the cookie-hijacking is to establish a group
> of trusted URL's within the UEUE authentication architecture. If you are
> coming from an untrusted URL to a trusted URL, you will be re-prompted for
> your password. UEUE cookies will be correctly deleted and recreated as
> necessary before they get to the Javascript haxors.. This is the best way,
> short of Digital certs. and bio-scanners, to prove your identity IMHO
> using browser-based technology.
Maybe it's just me being a bit dense but I don't see how you are going to
destroy the cookies when moving from a trusted to an untrusted URL. Can
you clarify how you will know whether to destroy the cookie *before* the
user leaves a trusted page? What happens if they have multiple browser
windows open?
Please explain, I'm confused...
Simon
More information about the thesite
mailing list