you guys do realize that you can't use the cookie without validating them against the hash right? there are two fields for every value in the cookie: USER_NAME = djc USER_NAME_HASH = MD5(USER_NAME.ueue-server-secret-key) where USER_NAME_HASH would end up with something like 12039123n12klj3hsd8ui123jh12 when m.e.o gets that info, it doesn't automatically assume I'm djc(and the privledges that go with my userid), it runs the plain text value through the hash as well. if they don't match, m.e.o knows its not me and wipes the cookie or sends me back to ueue.evolt.org to revalidate. so little Joey Cracker that has a m.e.o account could set a cookie claiming he was djc and had a priv level of 4 and send himself to the main site to delete all of isaac's articles. fuck, he could even create a cookie with values like USER_NAME = djc USER_NAME_HASH = MD5(USER_NAME.JOEY-secret-key) so it looks *just like ours*. the problem is, he hashed it with a different secret key so when he goes to w.e.o it won't validate. better luck next time, insert coin, game over. no need for new domains, moving shit, or paranoia... this is all spelled out pretty clearly in marks write up at http://members.evolt.org/mnickel/ueue.html :) .djc. .jeff wrote: >>Could be avoided if we separated the meo admin stuff >>from the meo member space >><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< >> > > it can't be avoided by simply moving meo admin stuff elsewhere. the > problem, as it exists right now, is that the easiest way to set a cookie > that can be read by all sites is to set it to *.evolt.org. that means that > anybody with a member site can read it. you can limit the path up the chain > (as you chop off directories in the request) that can read the cookie by > specifying a path, but you can't limit the path down the chain (directories > off the domain). > > so, a path of "/jeff/" and a domain of *.evolt.org would keep any site > within evolt.org from reading the cookie, except for those cases where the > site is trying to read it from a directory named "jeff". this effectively > keeps the contents of my cookie within my "user space" on m.e.o. however, i > can't specify a path of "/" and expect the cookie from not getting sent when > requesting sub-directories. > > that aside, the top-level pages of m.e.o (account signup, front page, etc.) > all need to respond to the user and be able to read a cookie with that > user's authentication. i see no way of being able to do that without > exposing the cookie to m.e.o accounts.