[thesite] My Intro and a look at a UEUE Proposal

[.jeff]

martin,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Martin
>
> OK, what happens if I log in from 2 different machines?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

then it simply re-issues a cookie with identical data to the one already on
the other machine.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> atm, it's fine because each machine has its own cookie
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

and they're unique to you as the user, but not unique to each machine.  the
contents of each cookie is identical because they're for the same user.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> and neither do much persistent authentication to the
> user record beyond pw.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

actually, they don't do authentication beyond checking the value of the
cookie against the "cookie" column in the user table.  if they match you're
logged in as the user who's record has that uuid that was found in your
cookie.  it's fairly safe as it'd be fairly hard to correctly guess a 36
character string made of letters, numbers, and hyphens.  however, the
problem of m.e.o account users snatching these cookies is very real and
always has been.

however, the only way to stop this is to set the cookie at the domain level:

evolt.org
browsers.evolt.org
food.evolt.org
...
test.evolt.org
www.evolt.org

with the one exception that we don't set it for members.evolt.org.  that
effectively neuters anything we want to do with meo proper, but doesn't
expose the cookies to being read by meo account holders.  implementing it in
this fashion would be much more tedious as each child server would have to
report to ueue.evolt.org and a cookie for *each* child server site would
have to be issued (not an easy task).  i guess the important part is to
determine the risk involved and decide if it's worth the "expense".

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> But if we're checking a cookie against user activity
> records, it will scupper this.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

i don't see how it would.

thanks,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/