[WEB SECURITY] NetSec Breaking Apps Better Than AppSec
Tim
tim-security at sentinelchicken.org
Sat Jul 9 13:06:22 EDT 2011
> ... but the only good
> way to fix this mess would be proper origin-scoped cookies (a la Adam
> Barth's Cake header; or localStorage, except that the latter is still
> horribly insecure in some popular browsers).
Well... How about we use a real authentication protocol for users,
and leave cookies for the non-security use cases? Giving web
developers control over individual bits in messages used for
authentication is always going to be a recipe for disaster.
I would be thrilled if some of you heavy-weights joined us in the
discussions:
https://www.ietf.org/mailman/listinfo/http-auth
tim
More information about the websecurity
mailing list