[thesite] My Intro and a look at a UEUE Proposal
.jeff
jeff at members.evolt.org
Tue Oct 16 19:12:22 CDT 2001
rory,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Rory.Plaire at wahchang.com
>
> Martin's question causes me to consider what happens if
> someone else uses the other machine. Since a cookie is
> being re-issued, wouldn't that be an open door?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
no, actually it's not an open door unless you as a user choose to open it.
the only way there'd be a cookie on a machine is if you've selected the
convenience of the "remember me" feature. otherwise there aren't any
cookies issued to compromise the login.
now, that's how it works currently.
if we go to an all cookie login system, that sort of door could be opened
up. the solution would be to have the cookie be only a session cookie
unless the user chooses the convenience of the "remember me" feature in
which case it's issued with a long-in-the-future expiration date. again,
we're giving the user the opportunity to open the door themselves, but not
doing it without their intervention.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Then I wonder does this matter to anyone in this
> context? I mean, it isn't a banking application,
> right?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
yes, that's a very valid observation. some admin and god privilege
functionality is available with the right cookie value though. it could be
worthwhile to make sure to protect that as much as possible.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> I think the concern is mainly about m.e.o. ...
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
precisely.
.jeff
http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/
More information about the thesite
mailing list