Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m creating a static site generator with a dynamic admin backend for one user. The site accepts no user input. Does this mean that I am safe from attackers who are trying to steal my admin cookie?
(there is no user input, so XSS and other methods don’t work, right?)
If there’s no user input (no links to click that have any effects, etc.), how does the admin backend qualify as “dynamic”?
But basically: No, not unless you’re using HTTPS. Even if you’re not accepting input, the cookie is transmitted in plaintext and so can be captured (by a man-in-the-middle attack, etc.) and used. (I assume you don’t want other people using the cookie to see the admin stuff.)
Or did I completely misunderstand the question? 😉