[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
martin at v.loewis.de
martin at v.loewis.de
Thu Feb 7 02:03:10 CET 2013
Zitat von Donald Stufft <donald.stufft at gmail.com>:
>> Why is that? If the issue is for "www.python.org
>> (http://www.python.org)", then packages.python.org
>> (http://packages.python.org)
>> cannot steal it, can it?
>>
>>
>
> Session Fixation.
Hmm. Correct me if I'm wrong, but the article you cited
claims that this is easily solved by not using the session
ID in GET/POST variables (but only in cookies)
>> - don't use cookies 2: use TLS session IDs instead
>>
>>
>
> Pretty sure these are passed cleartext, hope you didn't want your
> sessions MITM'd
Hmm. Again in the article you cite, and also in many other
sources, common wisdom is that this *is* safe against
MITM.
Regards,
Martin
More information about the Catalog-SIG
mailing list