[horde] Problems with multiple instances in mozilla
Chuck Hagenbuch
chuck at horde.org
Wed Feb 26 13:26:52 PST 2003
Quoting Hans Lellelid <hans at appliedsec.com>:
> I was wondering if there's any reference material on Horde & security --
> particularly sessions.
Nothing specific, really.
> I was thinking that there would be security
> advantages to disabling cookies for my application. What's the thinking
> behind the cookies being more secure than session IDs in the URL?
URLs are logged much more often. And if you're using SSL, then cookies are
encrypted, while it's much easier to intercept the requested URL somewhere -
a proxy if it's used for SSL, log files, etc. etc.
> (Is the main issue session hijacking possibilities when cookies are
> disabled?)
Yes.
-chuck
--
Charles Hagenbuch, <chuck at horde.org>
must ... find ... acorns ... *thud*
More information about the horde
mailing list