xml-dev - Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

To: jcowan@reutershealth.com
Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
From: Rich Salz <rsalz@datapower.com>
Date: Mon, 05 Jan 2004 15:23:08 -0500
Cc: xml-dev@lists.xml.org
In-reply-to: <20040105200349.GD2625@skunk.reutershealth.com>
References: <p06010205bc1f30963822@[192.168.254.4]> <1073317356.8730.123.camel@saag> <p06010207bc1f5c8d8c6f@[192.168.254.4]> <3FF9B446.7020003@datapower.com> <20040105200349.GD2625@skunk.reutershealth.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507

> What is to prevent replay attacks in the cookie scenario you describe?

I'm not sure what you mean by replay attack.  What packets (HTTP 
requests) is the adversary replaying?  If the initial login form is 
protected by SSL, than there's nothing to steal for future replay. (If 
your adversary can crack SSL/TLS, it's safe to assume they're going to 
go after bigger fish than you might be. :)

> A timeout only prevents *delayed* replay attacks.

No, a timeout limits the exposure if the credentials are stolen.  A 
cookie is essentially a session authenticator, and not the long-term 
identity authenticator.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

Follow-Ups:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: jcowan@reutershealth.com

References:
- Cookies at XML Europe 2004 -- Call for Participation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Edd Dumbill <edd@usefulinc.com>
- Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@datapower.com>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: jcowan@reutershealth.com

Prev by Date: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Next by Date: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Previous by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Next by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread