Problem with nonces and HTTP GET
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Jan 29 02:49:19 UTC 2010
>vulnerabilities (if someone can steal the user's secure cookies in
>near-real time then they will be able to steal the user's browser
>session anyways).
I assume that attackers can obtain cookies/GET/POST from the browser;
if they can hook the browser to such an extent that they capture
server responses too, the user's screwed in any case, but mitigating
attacks that rely on lesser forms of eavesdropping (whether the
attacker steals a session or not) is the sort of edge case I've
enjoyed developing defenses for :)
-Shade left behind "convenience" a while back, though . . . ;)
More information about the specs
mailing list