Hacker News new | ask | show | jobs
by RKearney 4705 days ago
In addition to the session ID cookies, you need the HSID cookie as well, which is HttpOnly. While this type of bug is bad, it doesn't allow for a malicious third party to get all of the cookies needed to take over the users session.
2 comments
damncabbage 4705 days ago
Why bother with session cookies when you can just throw up an official-looking login dialog on the google.com domain and just steal credentials from everyone not aware enough?
link
arkem 4705 days ago
Also compartmentalization helps (Keeping products in different javascript origins, e.g. mail.google.com, accounts.google.com, etc)
link
seldo 4705 days ago
Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it used to be finance.google.com at some point...).

The importance of httpOnly had somehow escaped me until today :-)

link
hkmurakami 4705 days ago
I use Google Finance, Yahoo Finance, Marketwatch, Bloomberg and the WSJ stock pages very frequently and can confirm that Google Finance was on finance.google.com until quite recently. Pretty sure it was there earlier this year.
link
PavlovsCat 4705 days ago
Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it used to be finance.google.com at some point...).

Cookies set for just subdomain.hostname.com can only be "seen by" that particular subdomain, while cookies set for hostname.com can be seen from hostname.com and any and all subdomains. I think that's why they do it constantly, at least stuff like www.google.com/glass certainly makes no sense otherwise. Why not make a fancy new domain for that? I think it's cookie greed.

link
toast0 4705 days ago
cookie greed doesn't explain it, because they don't issue any cookies for www.google.com, or at least, I don't have any; they do issue cookies for .google.com, which www and finance can access equally. It's either a branding thing, or a they paid for the fancy load balancer so they're going to use it thing.
link
PavlovsCat 4705 days ago
That's a good point, I stand corrected. Of course, if you wanted to be "minimal" about cookies, you'd have to use a subdomain, but using one doesn't mean anything by itself.
link
KnightHawk3 4705 days ago
calendar.google.com got changed too recently.
link