Is blocking cookies a treat?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Is blocking cookies a treat?

Post by Lucas Malor » Thu May 30, 2013 8:21 am

I started to do some little programming usign PHP. (I don't like it, I prefer Python, but it's the most used, so...)

Using sessions I understood that if session id is not stored in cookies, it must be propagated with POST (or GET...). I noticed that some sites uses automatically GET if they can't set cookies. I think that it's much more secure to allow non-third party cookies by default instead of having this. For example, if I remember well, phpBB by default sends the session id using GET, but this board removed that "feature".

You can see if the site is using GET checking the URL (even if I don't check the URL every time I login to a site...), but it's hard to understand if the site is using POST (I think you can see it refreshing a site page while you're logged in, but memory plays a role here as for checking URL for GET).

What do you think about?
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Is blocking cookies a treat?

Post by Thrawn » Fri May 31, 2013 11:47 am

You might have noticed that this site is not encrypted. When you log in, your password is sent in cleartext. You should not reuse a password that you use for any other purpose.

Given that, there isn't really much point in distinguishing between cookie-based and URL-based session IDs :D.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0

User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: Is blocking cookies a treat?

Post by Lucas Malor » Fri May 31, 2013 7:24 pm

Well, Wikipedia says POST and GET should be avoided to propagate SID:
http://en.wikipedia.org/wiki/Session_fixation
I must say I'm a total newbie so I don't know very much about sessions and how to avoid multiple logins, for example.

PS: if someone wants to waste his time to stole my password for this forum, I suggest him to find a more exciting hobby... like curling :mrgreen:
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Is blocking cookies a treat?

Post by Thrawn » Mon Jun 10, 2013 3:54 am

Well, the one who would know the most about the security measures on this forum is Giorgio. But I know he has taken steps to harden phpBB.
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0

Post Reply