From: Peter M. <ma...@ph...> - 2000-08-25 06:34:03
|
On Thu, Aug 24, 2000 at 09:46:25PM -0500, Luke Ehresman wrote: > > Any ideas on the no-cookie stuff? We'd really like to keep the no-cookie > > option in. Could ofcourse be configurable again. Right now our > > version allows both cookies and no cookies. > > I like this model very much. We have had long discussions on this list as to > whether to use session saving, or cookies for passwords. Now that we have > encrypted passwords, I think this is much less of an issue of security. It is > terribly convenient to support both, and since you have the code done already, > I don't see why we couldn't use this in some form or another. Of course, i am > not a security expert, and would like everyone's opinions on this, especially > those involved in some of the initial discussions... I may comment on this if I could. I dont see the point in storing the username/password in the cookie be it plain text or encypted. The reason being, to make it useful you will need to authenticate every request. Something you do not want to do if your using imap. So, unless we authenticate every request I dont see the point. What you may want to store in the cookie is a session id thats difficult to guess. In the past I've used encyption to generate the session id. This way, if it doesnt decrypt then you can be sure someone is trying to guess it. In addition to encryption, I also use optional information that comes from the clients browser. For instance, IP address. The IP adderess can be embeded in the encrypted session id. Upon each request the session id can be decrypted and the IP addresses compared. You can do even more. Like store an expire time which squirel checks for each request. Afte all, why rely on the client to expire it. Thats insecure. There are many posibilities and the idea is to simply serialize a data structure and encrypt it with a common key. Regards Peter Marelas |