> If you use a cookie over a wireless > network, and you're not using a vpn, you might as well be advertising > your password in this newsgroup.
But is it the cookies or is it the unsecured wireless network that is the problem? Cookie/session is really there to add feature to http because http is (was?) stateless. On Tue, Dec 2, 2008 at 10:33 AM, Berend de Boer <[EMAIL PROTECTED]> wrote: > >>>>>> "Paul" == Paul Bennett <[EMAIL PROTECTED]> writes: > > Paul> Given that your proposed solution is arguable far more > Paul> complex, I'm struggling to see the benefits against standard > Paul> application / session-based security. Would you be able to > Paul> outline what you see the benefits being? > > I hope you're not arguing that cookie based authentication is: > > 1. Easy to implement. > > 2. Has no significant security issues. > > On 1, it's very complex, most people won't get it right, and 2. given > the mounting number of significant issues with cookie based > authentication I think it's completely broken. With more and more > wireless networks and the triviality with which many can be broken, > cookies are extremely insecure. If you use a cookie over a wireless > network, and you're not using a vpn, you might as well be advertising > your password in this newsgroup. > > So the complexity of this approach is relative to cookie based > complexity, and probably less complex. It's also very much more > secure. And part of the complexity is because browsers don't allow you > to logout, so we need some trickery here. Hopefully this gets fixed if > more people use this approach. > > On shared hosting: you get what you pay for obviously. > > > The benefits are that we don't use cookies, so no privacy concerns, > we're much more secure, security is declarative (PHP frameworks give you > that as well of course), works for every resource including images and > PDFs (which you would have to cloak with PHP otherwise), and we can take > advantages of HTTP (intermediary) caches. > > -- > Cheers, > > Berend de Boer > > > > -- Visit my website: http://onlinesid.com --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
