[659] in Intrusion Detection Systems
RE: netscape
daemon@ATHENA.MIT.EDU (Tim)
Mon Mar 18 04:58:22 1996
From: Tim <tbelcher@tds.com>
To: "ids@uow.edu.au" <ids@uow.edu.au>
Date: Fri, 15 Mar 1996 08:05:23 -0500
Reply-To: ids@uow.edu.au
I am sure Netscape is aware of it considering Cookies are a feature not =
a bug. What this really allows you to do is maintain client information =
in a connectionless client. In short, any server can write data to your =
cookie file. When you connect to that site in the future, based on the =
parameters in the cookie file, you client will then feed the cookie =
information back to the host. There are security considerations =
implemented in Netscape and others that prevent misuse. For instance, =
the server can only set cookies of a certain length. Several paramaters =
are required such as time to live. And the server can only set cookies =
at the .domain.domain level, and they must match the servers site. =
Meaning, Cookies have to be set to the host level and have at leat 2 =
periods in the address. Also, this prevents my site from adding a =
cookie to your site.
Again, all of this is mute considering the information is not taken from =
a client, but given by the client whenever browsing a host that matches =
an entry in the cookies file. The server then can get the information =
from the server's environment under $ENV{"HTTP_COOKIES"}. The only =
security problem I see is servers using this information to cache and =
automatically parse a users password for their site. However, this is =
no less secure than using .htaccess files or their equiv considering =
they are clear text as well. However, there is a secure option in =
cookies that will let the client know to only transmit the cookie when =
connected to a secure server.
A couple of sites with more info are:
http://www.emf.net/~mal/cookiesinfo.html
http://www.illuminatus.com/cookie
Cheers,
Tim
[ Quoted Item Deleted - RuF]
