[
Lists Home |
Date Index |
Thread Index
]
> The differences between a login session and basic-auth/digest style,
> is two-fold. First, if stolen, the impersonation is good for a
> finite time, not until I notice and change my password. The second,
> is that the adversary only has session credentials, and not my
> long-term login password. Those are very significant differences.
Indeed, in particular because sites with varying levels of security such
as Amazon will use a cookie to identify you so you can alter your
personal details, see stuff customised, and so on, but when you go to
actually order they ask you to enter your password again.
So somebody who steals the session by intercepting one request's cookie
will not be able to order things, unlike somebody who stole an HTTP Auth
request.
Also, many people reuse the same username/password on different sites,
but the same cookie will only ever be valid on different sites by
extreme unlikely chance :-)
ABS
|
