> > However, the login procedure works by handing your browser a cookie. > > The cookie is not marked secure so it gets transmitted on non-encrypted > > connections, so it is subject to cookie hijacking (though recent changes > > to the Authenticate class mititate this somewhat) -- basically, the risk > > is that an attacker could steal your cookie and get your level of access > > to DSpace, which is significant if you're an Administrator. > > OK. So if I can discount some one trying to prove to me that they are the > real sh** and coming up with some rocket science, and my site has public > stuff, I only wish to protect access to each users delete and alter > capability for their submitted items, and the dspace Administrators god like > powers. As the http sessions timeout can be controlled, I can set it to a > rather short time (say 3 minutes), so that any administrative functions can > be executed briskly. If the cookie is captured, before it can be used it is > expired.
That's more than good enough, and would probably be annoying to users; I think the default session expiration is about half an hour under Tomcat 5.0, and that's probably fine -- you get some protection anyway because the DSpace session remembers the IP address that created it and won't accept requests from a different IP. IP spoofing is possible but that's in your realm of rocket science. I just wanted to make it clear what the risks are. Using HTTPS to protect the pages where passwords are sent from the browser should be perfectly adequate. I'll try to get to the wiki page soon; keep an eye on the "recent changes" page on the wiki: http://wiki.dspace.org/index.php/Special:Recentchanges -- Larry ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
