Cookie Specification Vulnerabilities
Subject:   Misleading examples?
Date:   2004-04-02 03:25:48
From:   fagzal
I think your first two examples might be misleading.

Sensible websites do not store sensible informations in cookies: a HTTPS website storing private data in cookies is a total disaster anyways. If it did that, it might as well send back your credit card information to you via e-mail. I think this is rather a programming mistake than a cookie vulnerabity: even SSH is not secure if you use a one letter password (note: as one of our clients did some time ago :-)). A decent programmer must know how cookies work, and use them accordingly - e.g. use them for setting up sessions. Probably this is what the moral of your article should have been :-)

Also, as Raju has written, your comment on gTLDs is a little confusing: the domain can be any domain, including ccTLDs. (What is a "regional zone"?)

- Cs.