[thesite] My Intro and a look at a UEUE Proposal
Daniel J. Cody
djc at starkmedia.com
Thu Oct 18 13:00:33 CDT 2001
what list are they starting down? the l ist of cookies they've logged?
so Joey Cracker gets my userid and priv level from my cookie. what can
he do with it if its not got a corresponding userid_hash value that uses
our secret key? (just looking for an example from your POV)
.djc.
.jeff wrote:
> keeping the meo account holders from *creating* cookies is fine. however,
> keeping them from reading your cookie and *copying* it is another store.
> all they have to do is log all the cookie values of visitors to their site
> then start down the list with those cookies values as their own until they
> find one that gives them the appropriate level of access.
More information about the thesite
mailing list