h1

don’t bring a knife to a gunfight

September 9th, 2001

Rick pointed out that the crux of the Verizon problem was guessable session IDs, not cookies directly.

True, the guessable session ID is the final culprit, but it wouldn’t be an issue if they weren’t avoiding cookies.

I’m assuming the reason the session ID is being exposed to the user (and therefore the hacker too) by being passed around in the URL is that they are using a cookie-less session mechanism because they want to cater to users who turn off cookies.

Bah, humbug, I say. No cookies, no service. You wanna drive around shirtless, you gotta put one on before getting served at the lunch counter. If you’re really paranoid about cookies, learn what they are and how to delete them regularly.

While I’m at it, no DOM browser, no fancy DHTML application. You’re not gonna get real high fidelity stereo on that crystal radio no matter what tricks I use, so consume my services with a tool that’s up to the task, or go get one – they’re giving them away free.

The longer we continue to jump through hoops accomodating throwbacks and paranoia, the longer it will be before we can truly move forward. As for those accomodations that ARE necessary, they’ll be much more manageable with newer tools.

Comments are closed.