[http-state] Cookie login security inconsistency
"Shelby Moore" <shelby@coolpage.com> Wed, 25 August 2010 17:03 UTC
Return-Path: <shelby@coolpage.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF1B43A6B54 for <http-state@core3.amsl.com>; Wed, 25 Aug 2010 10:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.345
X-Spam-Level:
X-Spam-Status: No, score=-2.345 tagged_above=-999 required=5 tests=[AWL=0.254, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVfMjOfD1in7 for <http-state@core3.amsl.com>; Wed, 25 Aug 2010 10:03:41 -0700 (PDT)
Received: from www2.webmail.pair.com (www2.webmail.pair.com [66.39.3.96]) by core3.amsl.com (Postfix) with SMTP id 2012D3A6A43 for <http-state@ietf.org>; Wed, 25 Aug 2010 10:03:41 -0700 (PDT)
Received: (qmail 23639 invoked by uid 65534); 25 Aug 2010 17:04:11 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Wed, 25 Aug 2010 13:04:11 -0400
Message-ID: <23e5b79de37d3b7ccfa8f85f6a5de360.squirrel@sm.webmail.pair.com>
Date: Wed, 25 Aug 2010 13:04:11 -0400
From: Shelby Moore <shelby@coolpage.com>
To: http-state@ietf.org
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: [http-state] Cookie login security inconsistency
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 17:03:42 -0000
Some of you know me already from the Hybi WG (WebSockets), so no need to introduce myself. Please introduce to the record here, one specific inconsistency from prior cookies standard for best practices: https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c26 Also I would like to introduce the entire linked page above to the record of input to this WG. I notice that Mozilla appears to agree with me on the solution or way to proceed: https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c47 I am happy to see some people are working on the problem of http-state and I hope with an intent of closing the security holes. Good luck with this. I wish you all the best. ============ Please note I am not joining this WG and will be unsubscribed after this post. Please remove my email address from any replies to this mailing list. If I have something else important to contribute, I will come back in the future.
- [http-state] Cookie login security inconsistency Shelby Moore
- Re: [http-state] Cookie login security inconsiste… Paul E. Jones
- Re: [http-state] Cookie login security inconsiste… Shelby Moore
- Re: [http-state] Cookie login security inconsiste… Shelby Moore