back to the *point* WAS: Re: [thesite] UEUE v.0.2 Update

[Mark Nickel]

.jeff wrote:

> sounds like you'd need to write this protection layer for each app server.
> too much work though if it's going to leave the cookies wide open for
> harvesting with javascript.

Based on my experience, I don't see this as too challenging.... We'd just have
to make a policy that states that if you want to utilize the UEUE, then you have
to run an Apache-based app-server and the evolt.org cookie-supression
module...*if* such suppression is even possible.

Even now, CF runs as an apache module so in theory we should be able to suppress
cookies...

I'm sure though, that you'd have to do this in the module and not from within a
directive in httpd.conf....  PHP and mod_perl wouldn't be a problem because they
are open source... ColdFusion OTH, we can't change...


>grabbing cookies with javascript is really rather simple.  all i have to do
>is query the document.cookies object and it'll tell me everything i need to
>know.  then, i can report them back to my server-side script in a multitude
>of ways for logging purposes.  these ways would include things like pass the

Aahhh... now I see.  I wasn't aware that you could do Javascript redirects...  I
can see how this would be a problem...  Hrm...  Thanks very much for the
information... :)

Mark
--
"Caution: Cape does not enable user to fly."

-Batman costume warning label