On Wed, 3 May 2000, Armand A. Verstappen wrote:
> A possible work-around would be to include the host-id that send the cookie
> in the cookie-value, together with the user/pass info, and then have
> mgd_auth_mgd("","",1) refuse to delete the cookie if the existing cookie
> doesn't originate from the same host. Ugly, admitted.
Urgh. Cookies are pain it turns out. The path must be the same as the
start of the url fetched. This is not even a sitegroup-specific problem:
if you assign ownership to prefix host to one of your users, the
login cookie, if any, will be sent by netscape & co. for easy account
harvesting. I percieve this as a security problem. Not that I'd reccomend
using cookies for authentication, but still...
The path problem aside, the login cookie should probably be removed from
the request environment after the authentication phase.
Emile
--
This is The Midgard Project's mailing list. For more information,
please visit the project's web site at http://www.midgard-project.org
To unsubscribe the list, send an empty email message to address
[EMAIL PROTECTED]
