• (cs) in reply to pscs
    pscs:
    Mike Dimmick:
    Dear web developers,

    DO NOT USE COOKIES OR SESSION STATE TO TRACK WHERE THE USER IS IN THE APPLICATION

    I've never understood why they do it. It seems to be banks that are the main culprits IME (IIRC, smile.co.uk will require you to log in again (with the 15 pages of not-really-two-factor login details) if you press the Back button just once). Maybe they think it's more secure or something. Quite how storing application state in cookies is more secure than storing a logged in session ID in cookies (which IS a good idea) is beyond me.

    It's generally easier to use hidden form fields rather than session data anyway. Maybe their 'HTML for dummies' book didn't include hidden form fields (after all, what use are they? - they're hidden).

    Wow, I'm embarrassed to say I didn't know about using hidden fields was better than using sessions to track users...hmm...will need to Google this to found out more. Of course, my sites don't break when using the navigation buttons...

    (not trolling)

    Donniel

  • (cs) in reply to pscs
    pscs:
    Geneticfreak:
    What if you are in a town, and the only place you can access the internet is by using internet cafe

    Then you log out of the online banking after visiting your bank.

    The authentication details should be stored in cookies, which should be destroyed by you logging out.

    There may be cached pages showing what you did on the PC, but they'd be there anyway, and that depends whether the browser caches https pages (most don't AIUI). But, those pages wouldn't let someone else into your online banking - they wouldn't store your session ID.

    We're talking about people who store which PAGE you're on in a session, rather than authentication details.

    Having thought a bit more, I suppose that storing which page you're on makes it harder for someone to access your session if you don't log out afterwards - but then you deserve what you get if you don't log out (or clear all cookies, which is what I do) after going to your online bank from a public PC.

    Interesting point. I would like to point out, though that even if I were only accessing the bank website on my own PC, I would want it to automatically invalidate my session after a period of inactivity. It's not like I expect random people to walk through my room and browse my PC, but I still would prefer the knowledge that a visitor opening up Firefox in my room would not immediately see my unprotected bank account.

    BTW, I never access any primary accounts from any public/untrusted (even a clueless friends') PC for the fear of a keylogger. Cookies/history seem like a secondary concern.

  • Thanatos (unregistered)

    My dad retired from CP a while back and he has to used Air Canada's website. Its probably one of buggiest pages I have ever seen, as it always has something wrong with it.

    Captcha: Eros. Freud would be proud.

  • true_Ouch_false (unregistered)

    re "attempt to disowned by driver" pop-up: Obviously, "pwn" is getting pld.

    Capcha: erat. As in "erare humanum est"

Leave a comment on “Disowned by Driver”

Log In or post as a guest

Replying to comment #:

« Return to Article