Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Not To Design a Protocol

Posted by timothy on Saturday October 30, 2010 @12:06AM from the sweet-morsels-of-logged-in-ness dept.

An anonymous reader writes "Google security researcher Michael Zalewski posted a cautionary tale for software engineers: amusing historical overview of all the security problems with HTTP cookies, including an impressive collection of issues we won't be able to fix. Pretty amazing that modern web commerce uses a mechanism so hacky that does not even have a proper specification."

1 of 186 comments (clear)

Min score:

Reason:

Sort:

More restrictive spec could have averted this by thasmudyan · 2010-10-30 00:53 · Score: 5, Interesting

I still think allowing cookies to span more than one distinct domain was a mistake. If we had avoided that in the beginning, cookie scope implementations would be dead simple and not much functionality would be lost on the server side. Also, JavaScript cookie manipulation is something we could easily lose for the benefit of every user, web developer and server admin. I postulate there are very few legitimate uses for document.cookie