On Fri, Nov 16, 2001 at 02:09:25AM +0100, Tom Bille wrote:
> The aim of the cookie example in the eagle book is a bit more than just
>authentication. Most of the answers here to use a
> session ID here are quite right for most purposes, but the code in the eagle book
>offers to store informatio
> > If you happen to type in a URL, they can revive your
> > session from the cookie. Pretty nifty trick.
>
> This would seem to be a security hole to me. URLs appear in the logs
> of the server as well as any proxy servers along the way. If the URL
> contains reusuable auth info, anybody acces
rom: Rob Nagler <[EMAIL PROTECTED]>
> Organization: bivio Software Artisans, Inc. <http://www.bivio.net>
> Date: Fri, 16 Nov 2001 15:22:02 -0700
> To: [EMAIL PROTECTED]
> Subject: RE: Cookie authentication
>
>> If you happen to type in a URL, they can revive you
> If you happen to type in a URL, they can revive your
> session from the cookie. Pretty nifty trick.
This would seem to be a security hole to me. URLs appear in the logs
of the server as well as any proxy servers along the way. If the URL
contains reusuable auth info, anybody accessing any of
session from the cookie. Pretty nifty trick.
- Kyle
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> David Young
> Sent: Thursday, November 15, 2001 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cookie authentication
>
>
osted.
--Joe Breeden
---
If it compiles - Ship It!
Aranea Texo
> -Original Message-
> From: David Young [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 15, 2001 6:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cookie authentication
&
The aim of the cookie example in the eagle book is a bit more than just
authentication. Most of the answers here to use a
session ID here are quite right for most purposes, but the code in the eagle book
offers to store information on the client side
with the security of a signature. Its NOT j
you try to purchase something or go to a sensitive area, you are
asked to sign-in and sent a cookie over https.
> From: "Perrin Harkins" <[EMAIL PROTECTED]>
> Date: Thu, 15 Nov 2001 18:40:03 -0500
> To: "Joe Breeden" <[EMAIL PROTECTED]>, "mod_p
> Excuse my question if it seems dumb I'm not 100% on NAT and
> proxies, but the Eagle book says to 1 Choose a secret, 2 Select fields to
be
> user for the MAC. It also suggests to use the remote IP address as one of
> those fields. 3 Compute the MAC via a MD5 hash and store in the clients
> brows
At 05:20 PM 11/15/01 -0600, John Michael wrote:
>Thanks.
>I did not know that you could verify that someone has cookies turned on.
>Can you point me to where i can find out how to do this? Is there a
>variable that you can check?
You set a cookie and do a redirect (if you need the cookie right a
, November 15, 2001 4:52 PM
> To: Joe Breeden; mod_perl List
> Subject: Re: Cookie authentication
>
>
> > Here we insert a session id on all requests, with
> Apache::Session whether
> > the request is for a static or dynamic page and have a
> TransHandler to
> st
ED]>
Sent: Thursday, November 15, 2001 4:24 PM
Subject: Re: Cookie authentication
> On 15 Nov 2001, at 12:16, Andrew Ho wrote:
>
> > CD>It seems you can't do anything online without having cookies turned
on
> > CD>(yahoo, bankone, huntington, ebay, etrade ) a
At 02:02 PM 11/15/01 -0600, John Michael wrote:
This may seem off subject but, If you bare with me, I don't think it is. I am interested in using the cookie based system referred to in the programming the apache api book but oftend wonder this.
Can you count on everyone to use cookies.
> Here we insert a session id on all requests, with Apache::Session whether
> the request is for a static or dynamic page and have a TransHandler to
strip
> the session id and insert it into %ENV which seems to work for us. With
this
> approach we don't necessarily need cookies, but verifying if
oe Breeden
---
If it compiles - Ship It!
Aranea Texo
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 15, 2001 4:25 PM
> To: mod_perl List
> Subject: Re: Cookie authentication
>
>
> On 15 N
On 15 Nov 2001, at 12:16, Andrew Ho wrote:
> CD>It seems you can't do anything online without having cookies turned on
> CD>(yahoo, bankone, huntington, ebay, etrade ) and I think internet users
> CD>have accepted this.
> Methinks there is a need to write a transparent "store cookies on URL"
> m
--Joe Breeden
---
If it compiles - Ship It!
> -Original Message-
> From: Andrew Ho [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 15, 2001 2:17 PM
> To: Charles Day
> Cc: John Michael; mod_perl List
> Subject: Re: Cookie authentication
>
>
> I seem to recall at least one major Apache module having an option
> to use URL-based authentication instead of cookie-based... but I can't
> seem to find that from a cursory perusal of CPAN.
Apache::ASP does this.
- Perrin
Hello,
CD>It seems you can't do anything online without having cookies turned on
CD>(yahoo, bankone, huntington, ebay, etrade ) and I think internet users
CD>have accepted this.
Not those clever European governmental folks, though.
http://www.vnunet.com/News/107416
http://news.zdnet.co.
On Thu, 15 Nov 2001, John Michael wrote:
> Date: Thu, 15 Nov 2001 14:02:04 -0600
> From: John Michael <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Cookie authentication
>
> This may seem off subject but, If you bare with me, I don't think it
> is. I am interested in using the cookie bas
John,
We
rolled out cookie authentication (Auth::Cookie) for our secured support
website around Jan 2001 and we never received one complaint (and our people
complain about everything:)
It
seems you can't do anything online without having cookies turned on ( yahoo,
bankone, huntington, e
21 matches
Mail list logo
