[thesite] UEUE -- Cleaning up with SOAP/XML-RPC

Jeremy Ashcraft ashcraft at 13monkeys.com
Thu Nov 29 00:37:11 CST 2001


On Wednesday 28 November 2001 18:49, .jeff wrote:
> jeremy,

> not sure how you propose getting the results of the authentication to the
> requested application so it knows who it's talking to.

With the perl handler,we can pretty much do whatever we want with the 
incoming request, including form data, so we could pass on additional data we 
get back from the authentication with UEUE.  We can also manipulate the 
response(ie set cookies) and such.

http://www.modperl.com/book/chapters/ch9.html

can give you good idea of what's possible.


> this doesn't keep m.e.o. account holders from reading the cookies from the
> browser via javascript.

well, as of now its seems the only way to solve this problem is to not use 
cookies at all or just kill all UEUE cookies when a request goes to 
members.evolt.org(not desirable, i know).  We need to find a way to save 
state for the user, but not expose the fact they're logged into *.evolt.org.  

> sorry to keep pulling this trump, but partially filling the holes mean we
> still have a hole that can be exploited.

this wasn't meant to be a partial fix, you just pointed out a flaw(which i 
should have thought of).  I still think this is a good start at least and can 
be improved.  I don't think an new idea should be discarded because a flaw 
was found.  I'd much rather see "your idea is not quite perfect, lets see how 
we can expand on it and make it better" than "nice try, but here's all the 
reasons why it won't work"

jeremy




More information about the thesite mailing list