[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [microsound] cookie monster



Hallo,
Arie van Schutterhoef hat gesagt: // Arie van Schutterhoef wrote:

> >if cookies bothers you
> -Yes they do. But it also not necessary to use them in order to run a forum
>  that won't be hacked (if people want to to do that, they'll do it
>  any how)
> See:
> http://www.electroniclife.co.uk/scforum/
> http://forums.nekochan.net/

Well, phpbb, which is used to run the .ms-forum, is known to often have
security problems, so personally I wouldn't have chosen it, but still
it is run on many sites and if .ms chooses it, it's .ms decision so
why care? We're not the sysadmins here. 

Regarding the cookies: Cookies aren't as bad as people like to put
them, and used correctly, they can provide a better security than
other aproaches. An example is the Nekochan site, which also uses
phpBB but has cookies switched off and instead goes for session IDs in
the URL which look like: "&sid=51eb2740ac..."

_From a security viewpoint doing this is much worse than enabling
cookies. Why? Because this session ID can be hijacked by crossi site
scripting or HTTP referer stealing attacks. Just put a link in a post
and as soon as a visitor clicks this link, the linked site can see the
session ID in the http-server logs. Voila, there goes your privacy. I
don't want to explain all this in more detail here, this is way
off-topic enough already, but blaming Cookies as being a security risk
per se is just not correct.

Oh, and did I say, that all web forums suck compared to decent mail
software? I sincerly hope, the forum will not mean the end to the .ms
mailing list.

Ciao
-- 
 Frank Barknecht                 _ ______footils.org_ __goto10.org__

---------------------------------------------------------------------
To unsubscribe, e-mail: microsound-unsubscribe@xxxxxxxxxxxxx
For additional commands, e-mail: microsound-help@xxxxxxxxxxxxx
website: http://www.microsound.org