Re: CGI security problem:Netscape 6.X: browser session security weakness in client


Problems? Is your data what you think it is?
	PerlMonks

Re: CGI security problem:Netscape 6.X: browser session security weakness in client

by AidanLee (Chaplain)

on Feb 04, 2002 at 14:04 UTC ( [id://143238]=note: print w/replies, xml )

Need Help??

in reply to CGI security problem:Netscape 6.X: browser session security weakness in client

Something else to consider is that you also don't want your session to be *only* time-based. People (using non N6 browsers) expect that when you close your browser, the session goes away. The fact that if you add an expire date to your cookie, you can't *also* have it destroyed when the browser is closed. So you may want to consider (as I have) a two pronged session:

A cookie that expires in a given time frame (~20 min is good)
A cookie with no timestamp, which the browser understands is to be destroyed when the last browser window is closed (except, as hackmare notes, on N6)

This requires the user to have both cookies to have a valid session.

It would also probably be worthwhile to point this issue out to the Mozilla crowd. They could possibly patch the browser to clear the session cache out when all windows are closed.

Comment on Re: CGI security problem:Netscape 6.X: browser session security weakness in client

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://143238]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others chanting in the Monastery: (4)

As of 2024-04-25 14:24 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found