Gregory Maxwell wrote:
Actually, JS can read and cookies, and thereby use them as a datastore. Based on prior threads about JS based challenge response... it would actually be possible to do this.. but only with a ton of JS hackery. (I.e. client side JS computes cookie=H(uid+password) and stores it as a cookie server also stores this, server would occasionally challenge the client to compute H(cookie+counter) ... but without server authentication there is no way to prevent an active MTM attacker from using the client as an oracle).
I alredy though on that. But if the datastore is a cookie, what do you think the brwoser will do with that cookie? *Send it to the server* Which is precisely what we try to avoid. There's a MS extension to avoid JS touch some cookies, but AFAIK there's not the opposite thing.
PS: A very interesting lib, Brion.