Beefy Boxes and Bandwidth Generously Provided by pair Networks vroom
Don't ask to ask, just ask
 
PerlMonks  

Re^3: Exec script within script or import sub...? help plz

by hbo (Monk)
on Jun 21, 2004 at 06:27 UTC ( #368374=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Exec script within script or import sub...? help plz
in thread Exec script within script or import sub...? help plz

Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short.

I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:

  1. Intercept and extract a cookie from a privileged session.
  2. DOS the genuine client.
  3. Spoof that client's IP and present the ill-gotten cookie to the server.
Step 1 is made harder by encrypting communication. Step 3 could be made easier through understanding of the particular application semantics.

Another possibility is rifling through the browser cache of a (for example) stolen laptop, looking for interesting cookies. Limiting the lifetime of cookies helps protect against that.


Comment on Re^3: Exec script within script or import sub...? help plz

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://368374]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (8)
As of 2014-04-20 18:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (486 votes), past polls