[thesite] UEUE v0.4 - Circumventing the cookie scr1ptk1dd1es

Mark Nickel mnickel at www.llamacom.com
Sun Dec 16 23:22:22 CST 2001


As promised, here are some more thoughts on making UEUE work for all of 
evolt without excluding m.e.o. (members.evolt.org)

<p1mping weblog>
I've got the raw form of this discussion here:
http://members.evolt.org/mnickel/weblog
This is stream of conscious stuff, so be kind.
</p1mping weblog>

This latest version of UEUE is inspired by a list of links that Dan 
originally provided a while back:

http://lists.evolt.org/thesitearchive/2001-November/1564208.html

Most specifically the Nareau Project link was what got me thinking more 
about how user authentication really works.

Here is a link to the document off of my main site:
http://members.evolt.org/mnickel/ueue.0.4.html

In a nutshell the solution to the cookie-hijacking is to establish a group 
of trusted URL's within the UEUE authentication architecture.  If you are 
coming from an untrusted URL to a trusted URL, you will be re-prompted for 
your password.  UEUE cookies will be correctly deleted and recreated as 
necessary before they get to the Javascript haxors.. This is the best way, 
short of Digital certs. and bio-scanners, to prove your identity IMHO 
using browser-based technology.  

I know that people are going to balk at having to reenter their passwords,
but, as I mention on my document, we will quickly be able to identify a 
large set of trusted URL's so if you browse common m.e.o sites, (like
here for example: http://members.evolt.org/members.cfm) you won't be
reentering your password...

For me personally, I'm very comfortable with what I'm proposing so I'm 
going to move to the coding stage...  weeeeeee!  Dan's favorite words, 
"Show me the code!"  Once there's something sticking (*not* stinking.. :))
to the virtual wall, then it will be much easier for others to pick about 
the internals...

I think that this is a "good enough" solution, will work well, and be a
step above simply re-creating M$-Passport.  :)

weeeeeeee!  Peace outside!

Mark





More information about the thesite mailing list