Posted: Thu Jul 28, 2005 5:32 pm
As a user who has my browser to ask me whether or not I want to accept a cookie, I severely dislike sites that shower cookies upon you (especially the ones that are like: Site would like to send a cookie named "test"). Adding extra session cookies helps, but only to a small extent after the second, because if they got one cookie, then they've probably got them all. (of course, there's other ways to get session ids).Roja wrote:I usually suggest to do so, yes.nielsene wrote: Hmm? If a user gets another user's session id, game over. There is nothing else to match. Unless you're sending a second cookie/GET based authenticator to compare against?
I think he meant HMAC(sessionID,expTime,serverSecret)You said: HMAC(sessionID,expTime).
Thats not a server secret, and yes, the attacker can generate that same HMAC, so no, its not secure.