OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Web-browser Binding Vulnerabilities + "Cures"


Dave

> Good point, but I offer a slight clarification.
> 
> An app or user could go to WinNT\profiles\yourusername\cookies\ and pick up
> the cookie.  Not even slightly safer than URLs.  

This is correct for persistant cookies.  But does it really apply to session-cookies?
They should only be in browser memory as long as the browser is running. 
But, I have *not* checked this.

>Note this doesn't work very well with wireless devices as cookies on
>wireless are problem. 

I know, therfore I did not suggest a change either.  This is just "information".
I am pretty sure though that WAP 2.0 will support cookies as it makes URLs "nicer"
and apps easier to write.

> Also many companies - rightly or wrongly - disable the use of cookies.

I know.  They will no be able to use the majority of session-orinted IIS apps by doing that.
The same goes for disabling JavaScript.  Apparently SAP have other ideas as they
use cookies.

>Jamcracker's approach for SSO in the ASP ecosystem is to use a back-channel
>communication between the Site A and the asserter.  The assertion travels on
>the back-channel with a reference being in the URL on the browser.  Note
>that we do the launching of apps from our portal - the first use case.

I don't think I understood this.  Does it solve the mentioned problem?
Please elaborate a bit.

Anders



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC