V
V
Vitali2011-08-14 20:38:33
HTTP Cookies
Vitali, 2011-08-14 20:38:33

Cookie Theft - Developer or User Issue?

Is gaining unauthorized access to the system by stealing cookies from the user a developer problem?

Do you deal with this somehow or leave this problem on the user's conscience?

What are your opinions?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
F
fizot, 2011-08-14
@fizot

IMHO this is purely a developer's problem. users are completely different, and most do not even know what cookies are, while a competent developer writes his software for everyone
IMHO here or bind it to an IP, which is not very good, because. most users have dynamic IPs, or accept that which may compromise security.
You can also bind it to the Useragent as an additional security parameter or even encrypt it in the user agent.
You can also invent perversions, for example, update the cookie every time the user logs in, etc.

@
@antoo, 2011-08-15
_

It depends on the method of theft - be it XSS - the developer is to blame, and if the user enters miracle scripts into the address bar, then he is to blame.

N
NEMMO, 2011-08-15
@NEMMO

If cookies are stolen directly from the user's computer, then the user himself is 100% to blame, similarly if your icq password was stolen? We will not blame icq.com for this
>Depends on the method of theft - whether it is XSS - the XSS developer is to blame
- There are no options, only the developer's fault!

I
interrupt_controller, 2011-08-15
@interrupt_controller

there may still be a fault of the browser developer, if there is a vulnerability in the browser that allows you to steal cookies
as well, if the cookies are stored on the client in an unencrypted form - also for the most part the fault of the browser developers

R
Roman, 2011-08-15
@lampa

I agree with the opinions above and add on my own: I usually wrap the user agent + the first digits of the IP address in md5, I just compare it at the entrance.

N
NEMMO, 2011-08-15
@NEMMO

To this question, there is only one answer (judging by the comments) - everyone is guilty! And site developers and users and third parties (in our case, browser developers).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question