Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Answer: Security: Cookies vs HTTP authentication

by rodry (Beadle)
on Sep 02, 2000 at 01:11 UTC ( #30809=categorized answer: print w/replies, xml ) Need Help??

Q&A > CGI programming > Security: Cookies vs HTTP authentication - Answer contributed by rodry

How about sites that don't use HTTPS and still have some sensitive information that they secure by means of cookies.

Take for example You store sensitive information about yourself and the poeple in your group. Not to mention pictures, resumes, etc. Yet I don't remember having to go thru a HTTPS secured page to login or authenticate.

That kind of security is enough for me. What do you think.

  • Comment on Answer: Security: Cookies vs HTTP authentication
Replies are listed 'Best First'.
RE: Answer: Security: Cookies vs HTTP authentication
by Russ (Deacon) on Sep 02, 2000 at 01:55 UTC
    For me, it is instinctive, reflexive and otherwise just subconscious to glance at the little padlock in the lower left of the Netscrape window before I even type something I consider sensitive into a browser window.

    I say this because you do not have to log in to be using https. Don't confuse SSL with security. SSL simply means "reduced risk of eavesdropping." Nor does logging in imply https. You could have logged in, then been dropped back out to a "normal" protocol.

    Further, it may be nearly impossible to know what egroups or anyone else is doing "behind-the-scenes." You may have logged in through an https page, and they are now ignoring that authentication information when they determine what data you may and may not view. If they use only cookies or CGI parameters to determine what you may access, their entire site, and all data in it, is probably up-for-grabs to anyone who wants to get it.

    So, IM(ns)HO, using the words "cookies" and "security" in the same context is fundamentally bogus. As to whether that level of security is each his own. As long as you do not put truly sensitive data on the site, who cares? If you store, on a site secured by cookies or CGI params only, anything you do not consider public knowledge, you are gambling against long odds. Pure and simple.

    Good luck. :-)

    Brainbench 'Most Valuable Professional' for Perl

RE: Answer: Security: Cookies vs HTTP authentication
by vaevictus (Pilgrim) on Sep 02, 2000 at 01:24 UTC
    IMHO, Securing "by cookies" is not securing at all... if you have not done some sort of user/password or crypto key exchange, then I'd be really worried about doing anything with
    It sounds like to me, that it would be pretty easy to obtain the data on egroups by inappropriate means. (Logging in as someone else.) I mean... the server can store data on your computer in those cookies... but all that says is "someone once connected here". Unencrypted cookies can be sniffed. Then they can be used *EASILY* by anyone with a 3rd grade hacking level.

    Thanks for the heads up on egroups though... i'll prolly avoid them now. :)

Log In?

What's my password?
Create A New User
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2021-01-22 02:21 GMT
Find Nodes?
    Voting Booth?