RE: [WEB SECURITY] Fundamental error in Corsaire's paper?

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 28 Apr 2006 at 11:58, Armag wrote:

> 
> What is the final verdict, the original topic of this thread? 
> The Corsaire article - is there a fundamental error in the
> recommendation part of it?

Well, if you ask me, then yes, there is a problem in the Corsaire paper, 
since it doesn't mention that in almost all of the cases, the cookie
path is useless for improving security. The only case wherein this recommendation actually 
adds
security is the very rare situation of a JS-turned-off (indeed...) non-MSIE browser
going to a non-IIS (or more likely non-Windows) website, and even that
is not guaranteed (who knows what other tricks work for the various servers out there). So 
up to this negligible situation, I hold to my original claim - "There is no such thing as 
path security".

-Amit

PS - which isn't to say I'm against using cookie path. Go ahead, use it - it will probably 
save you from cookie namespace collisions. But don't think you buy any security this way 
(well, up to the aforementioned bizarre scenario, that is...)

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/