[dokuwiki] Re: CookieMonster
- From: "Andreas Gohr" <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 12 Sep 2008 22:11:46 +0200
>>> [...] My understanding is that
>>> this means that DokuWiki sites may be vulnerable to attacks using the
>>> CookieMonster toolkit.
> I solved this on my other project by setting the "secure" boolean when I did
> the set_cookie() call if the site was using SSL but I can't see any way of
> forcing that behaviour via PHP flag setting so it's going to require a tiny
> DW code change.
As I understand it, setting the "secure" option of cookies would
prevent users from securing the login via SSL only. This is very
common because putting the whole wiki under SSL needs much more CPU
power. Using the httponly option on the other hand might be sensible.
The register article unfortunately didn't really describe how the
cookie monster attack works. We try to make sure to make the cookie as
secure as possible by encrypting it and binding it to a combination of
the IP address and the Browser-ID to make cookie stealing harder.
Andy, what are your thoughts on this?
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- Follow-Ups:
- [dokuwiki] Re: CookieMonster
- From: Andy Webber
- References:
- [dokuwiki] CookieMonster
- From: Paul Oldham
- [dokuwiki] Re: CookieMonster
- From: Andy Webber
- [dokuwiki] Re: CookieMonster
- From: Paul Oldham
Other related posts:
- » [dokuwiki] CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- [dokuwiki] Re: CookieMonster
- From: Andy Webber
- [dokuwiki] CookieMonster
- From: Paul Oldham
- [dokuwiki] Re: CookieMonster
- From: Andy Webber
- [dokuwiki] Re: CookieMonster
- From: Paul Oldham