On 1/24/07, Larry Stone <[EMAIL PROTECTED]> wrote:
However, the login procedure works by handing your browser a cookie.
The cookie is not marked secure so it gets transmitted on non-encrypted
connections, so it is subject to cookie hijacking (though recent changes
to the Authenticate class mititate this somewhat) -- basically, the risk
is that an attacker could steal your cookie and get your level of access
to DSpace, which is significant if you're an Administrator.
OK. So if I can discount some one trying to prove to me that they are the
real sh** and coming up with some rocket science, and my site has public
stuff, I only wish to protect access to each users delete and alter
capability for their submitted items, and the dspace Administrators god like
powers. As the http sessions timeout can be controlled, I can set it to a
rather short time (say 3 minutes), so that any administrative functions can
be executed briskly. If the cookie is captured, before it can be used it is
expired.
Most sites don't consider this enough of a risk to be worth running the
entire site through HTTPS, but I'm just mentioning it so you know the
reasoning.
OBTW, the <security-constraint> method below is an elegant solution.
It depends on having the secure="true" attribute on the <Connection>
element in your tomcat server.xml, and the <Connection>'s set up to
automatically redirect to the HTTPS port, but that's simple to set up,
it's well documented in the Tomcat docs.
It would be great to add this to the wiki, since it doesn't seem to be
there anywhere I can find. If you need it, I've got a live example
that I could add.
Yes, that would be helpful.
John
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
