Shibboleth Developers

[Jim Fox <>]

On Wed, 30 Jun 2004, Scott Cantor wrote:

> > Ultimately it is the browser that defines security boundaries,
> > through its policies regarding cookie distribution and
> > access to child page content - in particular its release
> > of session cookies - and the browser considers the network domain
> > to be the primary security boundary.  All paths within the
> > same domain are considered to be, from the browser's perspective,
> > the same application.  It will quite readily share cookies
> > and page content among all applications on the same domain.
>
> Not true, actually, cookies can and do get issued based on paths. Shibboleth
> supports this, but of course that's not the real issue. If it's on the same
> box, the assumptions about application separation are just that,
> assumptions.
>

This is exactly my complaint.  Cookies can be scoped to paths,
but in the long run that scope has nothing to do with their
availability to active pages - javascript, for example.  You
can scope your session cookies to your /site1/ path all you want,
but my javascript from /site2/ can see them quite easily.  You
can prevent that access only by hosting your site on a different
domain.

I wasn't concerned with behind the scenes activity, but rather
withh direct compromise of the session cookies on the browser.

Jim