[thesite] My Intro and a look at a UEUE Proposal

[.jeff]

martin,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Martin
>
> > with the one exception that we don't set it for
> > members.evolt.org.  that effectively neuters anything
> > we want to do with meo proper, but doesn't expose the
> > cookies to being read by meo account holders.
>
> Could be avoided if we separated the meo admin stuff
> from the meo member space
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

it can't be avoided by simply moving meo admin stuff elsewhere.  the
problem, as it exists right now, is that the easiest way to set a cookie
that can be read by all sites is to set it to *.evolt.org.  that means that
anybody with a member site can read it.  you can limit the path up the chain
(as you chop off directories in the request) that can read the cookie by
specifying a path, but you can't limit the path down the chain (directories
off the domain).

so, a path of "/jeff/" and a domain of *.evolt.org would keep any site
within evolt.org from reading the cookie, except for those cases where the
site is trying to read it from a directory named "jeff".  this effectively
keeps the contents of my cookie within my "user space" on m.e.o.  however, i
can't specify a path of "/" and expect the cookie from not getting sent when
requesting sub-directories.

that aside, the top-level pages of m.e.o (account signup, front page, etc.)
all need to respond to the user and be able to read a cookie with that
user's authentication.  i see no way of being able to do that without
exposing the cookie to m.e.o accounts.

make any sense at all?

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/