Quote:
Originally Posted by isf
They must be planning to hash it somehow, otherwise we could harvest UIDs and really phuzz the database. Doing this could be classed as a computer misuse offense but Phorm obviously would not have cared about that when they gained unauthorised access to data held on the server doing the UID harvesting.
|
Not sure what you mean by "hash it somehow" but I don't think any such techniques will help them.
They need to set a cookie for each domain that uniquely identifies an individual. That same data will be sent if the connection is over https and/or a non-standard port. Therefore that same data that uniquely identifies a user can be read by the web server.
If you take their claim that the only way they can tell users apart is the cookies they forge. Then it follows that if two users swap cookies they won't notice the switch.