From c6cf2568bd186fe46dea6aeefec17e046a595b52 Mon Sep 17 00:00:00 2001
From: xue <>
Date: Sun, 12 Feb 2006 02:14:50 +0000
Subject: Updated cookie attack prevention tutorial page.

---
 buildscripts/texbuilder/build.php                   |  3 ++-
 .../quickstart/protected/pages/Security/Cookie.page | 21 ++++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/buildscripts/texbuilder/build.php b/buildscripts/texbuilder/build.php
index 44fbecf2..ae264843 100644
--- a/buildscripts/texbuilder/build.php
+++ b/buildscripts/texbuilder/build.php
@@ -41,7 +41,8 @@ $pages['Controls'] = array(
 $pages['Security'] = array(
 	'Security/Auth.page',
 	'Security/ViewState.page',
-	'Security/XSS.page');
+	'Security/XSS.page',
+	'Security/Cookie.page');
 
 $pages['Advanced Topics'] = array(
 	'Advanced/Assets.page',
diff --git a/demos/quickstart/protected/pages/Security/Cookie.page b/demos/quickstart/protected/pages/Security/Cookie.page
index e042f894..843f99fb 100644
--- a/demos/quickstart/protected/pages/Security/Cookie.page
+++ b/demos/quickstart/protected/pages/Security/Cookie.page
@@ -11,5 +11,24 @@ There are several countermeasures to prevent cookies from being attacked.
   <li>An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.</li>
   <li>Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.</li>
   <li>Prevent <a href="?page=Security.XSS">cross-site scripting (XSS)</a> which causes arbitrary code to run in a user's browser and expose his cookies.</li>
-  <li>Validate cookie data and detect if they are altered. By default, Prado validates the cookie data to ensure they are not altered.</li>
+  <li>Validate cookie data and detect if they are altered.</li>
 </ul>
+<p>
+Prado implements a cookie validation scheme. It associates cookie data with the target remote host address and user agent. HMAC check is performed to ensure that cookie data is not altered and is sent from the expected source.
+</p>
+<p>
+Cookie validation is enabled by default. To obtain validated cookie data, retrieve them from the <tt>Cookies</tt> collection of <tt>THttpRequest</tt> by using the following PHP statements,
+</p>
+<com:TTextHighlighter CssClass="source">
+foreach($this->Request->Cookies as $cookie)
+    // $cookie is of type THttpCookie
+</com:TTextHighlighter>
+<p>
+To send cookie data encoded with validation information, create new <tt>THttpCookie</tt> objects and add them to the <tt>Cookies</tt> collection of <tt>THttpResponse</tt>,
+</p>
+<com:TTextHighlighter CssClass="source">
+$cookie=new THttpCookie($name,$value);
+$this->Response->Cookies[]=$cookie;
+</com:TTextHighlighter>
+
+</com:TContent>
\ No newline at end of file
-- 
cgit v1.2.3