Quote:
Originally Posted by rryles
Not sure what you mean by "hash it somehow" but I don't think any such techniques will help them.
They need to set a cookie for each domain that uniquely identifies an individual. That same data will be sent if the connection is over https and/or a non-standard port. Therefore that same data that uniquely identifies a user can be read by the web server.
If you take their claim that the only way they can tell users apart is the cookies they forge. Then it follows that if two users swap cookies they won't notice the switch.
|
I'd compute a hash value for the UID using the client IP as the salt. Webwise is no longer leaking IDs, is IP locked and they still wouldn't be storing any PII. Not that I'm here to solve their problems nor that I have any real confidence in Phorm having any technical competence whatsoever.