lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [patch #9576] Adding authorization cookie management

From: Giuseppe Modugno
Subject: [lwip-devel] [patch #9576] Adding authorization cookie management
Date: Fri, 2 Mar 2018 05:42:27 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 
Follow-up Comment #9, patch #9576 (project lwip):

> Come on. It's easy enough to obfuscate the password, mix it with current
time or request counter. That's not an issue.

All can be done and I admit *the* current solution for security is HTTPS/TLS.
With this technology, you can send password even in clear.
In situations where you don't have HTTPS/TLS you have a security flaw. Full
stop.

Anyway you can try to increase the security as you can. IMHO sending password
continuously (encrypted or not) in query string is a bad thing. For example,
query strings are saved in History or Bookmark from your browser. You see the
query string if you print the page.

I know you can search cookies too, but it seems to me they are a little more
hidden then query strings. And they are less annoying. And I think cookies are
not stored by the browser if they haven't an expiration date (or a maximum
duration).

This is my opinion and I hope you don't think I'm trying to push to apply my
patch.


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?9576>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]