shibboleth-dev - RE: Multiple targets in a single domain?
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To: Scott Cantor <>
- Cc:
- Subject: RE: Multiple targets in a single domain?
- Date: Wed, 30 Jun 2004 13:28:41 -0700 (PDT)
On Wed, 30 Jun 2004, Scott Cantor wrote:
> > Ultimately it is the browser that defines security boundaries,
> > through its policies regarding cookie distribution and
> > access to child page content - in particular its release
> > of session cookies - and the browser considers the network domain
> > to be the primary security boundary. All paths within the
> > same domain are considered to be, from the browser's perspective,
> > the same application. It will quite readily share cookies
> > and page content among all applications on the same domain.
>
> Not true, actually, cookies can and do get issued based on paths. Shibboleth
> supports this, but of course that's not the real issue. If it's on the same
> box, the assumptions about application separation are just that,
> assumptions.
>
This is exactly my complaint. Cookies can be scoped to paths,
but in the long run that scope has nothing to do with their
availability to active pages - javascript, for example. You
can scope your session cookies to your /site1/ path all you want,
but my javascript from /site2/ can see them quite easily. You
can prevent that access only by hosting your site on a different
domain.
I wasn't concerned with behind the scenes activity, but rather
withh direct compromise of the session cookies on the browser.
Jim
- Multiple targets in a single domain?, Jim Fox, 06/30/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 06/30/2004
- Re: Multiple targets in a single domain?, Spencer W. Thomas, 06/30/2004
- RE: Multiple targets in a single domain?, Jim Fox, 06/30/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 06/30/2004
- RE: Multiple targets in a single domain?, Jim Fox, 06/30/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 06/30/2004
- RE: Multiple targets in a single domain?, Jim Fox, 06/30/2004
- Re: Multiple targets in a single domain?, Spencer W. Thomas, 06/30/2004
- Re: Multiple targets in a single domain?, Jim Fox, 06/30/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 06/30/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 06/30/2004
Archive powered by MHonArc 2.6.16.