Here is one security measure that you HAVE to do if you allow people to submit contents to your site. 1. track client's IP. 2. Associate sensitive cookies with the IP, if they don't match, ignore it or invalidate the cookie. We may not stop the information redirection. We can make the information invalid. Regards, Ezra On Fri, 2005-07-08 at 12:31 -0500, Edward Vermillion wrote: > On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote: > > > > > I am just wondering, how could someone craft an html to steal cookies? > > If your cookie distribution is done right, I don't think you need to > > worry about this. > > > > That's what XSS is all about. I don't have the link handy but I do have > a PDF file that I found > a while back that explains how this happens, and to tell the truth, it > scared the s*** outa me. > To the point that I really don't trust any online commerce, although I > do still use it, just as > I still give the waitress/waiter my credit card at a restaurant, even > though I know that's where > most of the identity theft/stolen CC numbers comes from. > > > There are a gazillion of sites (CMS-based, wiki-based, etc, including > > php.net) that allow users to contribute html. They are not concern > > about > > security of data delivery. > > Yeah I know... :P > > > > > I think, page breaking html is more prominent issue, which you could > > eliminate with BBcode or wiki language. > > > > Perhaps you are being a little paranoid? > > Or do I miss something? > > > > So yeah, I'm being paranoid but I'm also trying to cover as many bases > as I can and yet > still provide some decent functionality. > > > Edward Vermillion > evermillion@xxxxxxxxxxxx > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
