perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Perrin Harkins <per...@elem.com>
Subject Re: session module
Date Sat, 30 Oct 2010 18:33:30 GMT
On Fri, Oct 29, 2010 at 4:23 PM, Lon Koenig <lon@schnoggo.com> wrote:
> Are these susceptible to the cleartext cookie silliness exposed by FireSheep?

Well, Apache::Session doesn't handle cookies at all, so it's entirely
up to you how you want to deal with it, and CGI::Session doesn't
dictate whether or not your site uses SSL, so that is also up to you.

There is no way to prevent people from potentially seeing cookies (or
anything else) passed over a non-SSL network.  Sites that are
seriously concerned about this should use SSL.  Even sites that don't
use SSL should use cookies with some form of MAC and a reasonable
session timeout.

- Perrin

Mime
View raw message