[Zope-PTK] DISCUSS: Why Zope.org has soft cookies
J C Lawrence
claw@kanga.nu
Mon, 17 Jan 2000 12:05:41 -0800
On Mon, 17 Jan 2000 11:19:23 -0500
Amos Latteier <Amos@digicool.com> wrote:
> I'm not sure if there are any other security issues involved in
> this cookie arrangement.
Its the same reason you don't use telnet on unprotected or untrusted
networks (and probably shouldne't even then). The general problem
is that anyone can sniff the wire, pick up the cookie, slap it in
their own cookie file and instantly impersonate you with all your
access rights. This is of course why people use things like SSL and
variously short lived session keys and the like.
--
J C Lawrence Home: claw@kanga.nu
----------(*) Other: coder@kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--