[thesite] My Intro and a look at a UEUE Proposal
.jeff
jeff at members.evolt.org
Thu Oct 18 02:01:54 CDT 2001
martin,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Martin
>
> > with the one exception that we don't set it for
> > members.evolt.org. that effectively neuters anything
> > we want to do with meo proper, but doesn't expose the
> > cookies to being read by meo account holders.
>
> Could be avoided if we separated the meo admin stuff
> from the meo member space
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
it can't be avoided by simply moving meo admin stuff elsewhere. the
problem, as it exists right now, is that the easiest way to set a cookie
that can be read by all sites is to set it to *.evolt.org. that means that
anybody with a member site can read it. you can limit the path up the chain
(as you chop off directories in the request) that can read the cookie by
specifying a path, but you can't limit the path down the chain (directories
off the domain).
so, a path of "/jeff/" and a domain of *.evolt.org would keep any site
within evolt.org from reading the cookie, except for those cases where the
site is trying to read it from a directory named "jeff". this effectively
keeps the contents of my cookie within my "user space" on m.e.o. however, i
can't specify a path of "/" and expect the cookie from not getting sent when
requesting sub-directories.
that aside, the top-level pages of m.e.o (account signup, front page, etc.)
all need to respond to the user and be able to read a cookie with that
user's authentication. i see no way of being able to do that without
exposing the cookie to m.e.o accounts.
make any sense at all?
.jeff
http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/
More information about the thesite
mailing list