-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin O'Neal wrote:
I know I'm not the one you are asking, but I think setting
the path is LESS secure. Not because of any technical reason,
given the fact that its easily circumvented, but because of
the false sense of security that gets placed by developers
using the path.
Using the same logic though, one would be compelled to recommend not
using SSL; the false sense of security 9-out-of-10 cats preferred. :P
Martin...
But at least SSL is adding some layer of security, in that even if the
web app has holes, the transport is still being encrypted.
Using the path setting for the cookie offers no security, and should not
be considered part of the security design, whereas SSL does belong as
part of the security design.
Im not saying its bad to use the path, it has its purpose, such as
segmenting the cookies for the different apps using the same cookie
names, but it should not be considered part of the security design.
- --
Dan Kuykendall (aka Seek3r)
http://www.mightyseek.com
In God we trust, all others we virus scan.
Programmer - an organism that turns coffee into software.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEUTc1K8FkGutbdPMRAncOAKCXuVU72+3XRNIHGnOKXloyiqP6xwCfRkOS
lOPXG73N3qa28uRpwXozA/A=
=Uagi
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
