[dev] Session security

Chuck Hagenbuch chuck@horde.org
Wed, 10 Jan 2001 20:58:48 -0500

Previous message: [dev] Re: [cvs] commit: CVSROOT cvsusers
Next message: Fwd: Re: [PHP-PEAR] copyright in Pear code
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Michael Bull <mbull@uoguelph.ca>:

> What is the security implication of SSL to the cookies?  Do they get 
> encrypted using the site's encryption key?

Yes.

> Does this have any ability to prevent cross-site scripting attacks from 
> stealing session cookies, either through javascript that comes through a 
> IMP site that enabled HTML e-mail, or via an external link a user activates
> while in IMP?

No, and nothing to do with it. External sites won't get a cookie that's set for 
another server.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"If you can't stand the heat, get out of the chicken!" - Baby Blues

Previous message: [dev] Re: [cvs] commit: CVSROOT cvsusers
Next message: Fwd: Re: [PHP-PEAR] copyright in Pear code
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]