And web applications that don't filter them properly... Interesting writeup on SecurityFocus today. Basically between appending trailing dots and not handling country code domains properly, you can inject session IDs for people to use on sites. Sites that allow sessions to reused that is. Yet another reason why session keys should not be reusable (especially for a different account) after logout nor should the client be allowed to generate them. Of course they also shouldn't be predictable and the entire session keyspace crackable in a few tenths of a second (such as Bb 5.5). Being able to browse sessions with next and previous using only the browser's cookie and a script is a novel trick for testing, but sucks for system security.
Um, a few weeks. Maybe a month? I don't remember. I got sick of seeing it pop up as a 404 error when looking through errors on my site.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
Did you recently do the favicon? Or have I just never noticed?