[Owasp-gibraltar] Next Chapter Meeting - June/July?

Piotr Tomaszewski piotr.tomaszewski at intelligentpayments.co.uk
Fri Aug 2 09:16:28 UTC 2013


Dear All,

just wondering - is there any activity planned for the summer? Anyway,
there's one question I would like to raise, maybe you guys have already
faced the problem before:

With the advent of Safari and (soon) Firefox blocking of third-parties
cookies, we had a lot of complaints about the sessions being lost. We do
appear to be a third-party, as our web cashier is usually embedded in a
HTML frame, and for some of the merchants asking a user to fiddle with
browser settings is unacceptable. There are strong reasons to keep it this
way, so we decided to reach for the almost-obsolete URL tokens to maintain
sessions. Although we are quite sure it is not all that very different from
cookie-based sessions, I would really appreciate any insights on this you
might have.

The OWASP site says: *"Effectively, the web application can use both
mechanisms, cookies or URL parameters, or even switch from one to the other
(automatic URL rewriting) if certain conditions are met (for example, the
existence of web clients without cookies support or when cookies are not
accepted due to user privacy concerns)."*
*
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Built-in_Session_Management_Implementations
*
*
*
Best regards,

Piotr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-gibraltar/attachments/20130802/10f8bc2c/attachment.html>


More information about the Owasp-gibraltar mailing list