[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Web-browser Binding Vulnerabilities + "Cures"
Dave > Good point, but I offer a slight clarification. > > An app or user could go to WinNT\profiles\yourusername\cookies\ and pick up > the cookie. Not even slightly safer than URLs. This is correct for persistant cookies. But does it really apply to session-cookies? They should only be in browser memory as long as the browser is running. But, I have *not* checked this. >Note this doesn't work very well with wireless devices as cookies on >wireless are problem. I know, therfore I did not suggest a change either. This is just "information". I am pretty sure though that WAP 2.0 will support cookies as it makes URLs "nicer" and apps easier to write. > Also many companies - rightly or wrongly - disable the use of cookies. I know. They will no be able to use the majority of session-orinted IIS apps by doing that. The same goes for disabling JavaScript. Apparently SAP have other ideas as they use cookies. >Jamcracker's approach for SSO in the ASP ecosystem is to use a back-channel >communication between the Site A and the asserter. The assertion travels on >the back-channel with a reference being in the URL on the browser. Note >that we do the launching of apps from our portal - the first use case. I don't think I understood this. Does it solve the mentioned problem? Please elaborate a bit. Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC