I read your post about securing joomla, and I have a question about session cookie. Why is good that adminexile stop sending session cookie in /administrator ?
You wrote that: "This is a method used by Clipper and AdminExile as well as several other security extensions. One key difference is that Clipper and AdminExile prevent the Joomla session cookie from being sent. Other URL token extensions block access to /administrator - but allow the session cookie to be sent. If the cookie is received by an attacker, he immediately knows that something exists at that URL and can continue to probe for a means of entry."
If you test, or you know that, if a page doesnt exist Joomla will send the session cookie anyway...
- >I got session cookie with an 404 error
So my point is, if Joomla send anyway this session cookie (for existing pages and for non existing pages, components) then why adminexile stop it in the administrator area? From this, the attacker will know that something exists at that location...
What do you think? It will be more unmarked when you got the cookie with the 404 error on the administration page I think.
Please correct me if I'm not right!