-
-
-
.
@ubermajestix@aniero pretty sure everyone used to store their sessions in memcached, then someone said cookie-based sessions are roflscale -
@bascule If the idea is authentication, what difference does it make? Memcache sessions still have authenticating cookie, no? -
@nirvdrum if you just use HMAC, the attacker controls the session data. With Memcached, you control the session data, and there's no crypto -
@bascule Right. IIRC,@igrigorik lost an argument to actually encrypt the session cookie because the overhead of encrypting 4K was too high. -
@nirvdrum@igrigorik they did eventually add a store that encrypts the session cookie but didn't MAC it, thus losing all confidentiality
End of conversation
New conversation -
-
-
@bascule agreed - I doubt this is going to be the last vuln in this category -
@jamesgolick definitely having one of those "why did we do that?" moments right now
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.