Open davidanthoff opened 6 years ago
tkf
commented
5 years ago How about using environment variables? IIUC, in *nix, only the process launched by the same user has access to the environment variables of other processes while it is not the case for command-line arguments.
davidanthoff
commented
5 years ago That might work, do we know what the story there is on Windows? I have to admit, though, that I don't even understand what the point of this cookie is in the first place :)
Right now the cookie gets passed as a command line argument. @vtjnash rightly pointed out that that is not secure. A previous version passed it via stdin, but that version was buggy on Windows.
It is generally not really clear to me what attack vector we are trying to prevent with this cookie story, but if we have it, we should probably pass it in a secure way. So ideally we would go back to passing it via stdin, but in a way that works on all platforms.