Re: [Slashcode-development] sessions/generatesession

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 25 Jan 2001, Chris Nandor wrote:

> Well, in our new system, session IDs are not used for security anymore,
> they are only used for tracking the acivity of an author (how long they
> have been logged on and what story they are working on and such), so I
> don't think that's necessary.  The only way an author/admin is logged in,
> anymore, is by his regular username and password, and the user cookie that
> goes with it.

Whoah, I didn't realize usernames/passwords were stored in the cookies.  
Cookies are (in theory) interceptable since they're sent over the net in
clear text (unless you're using ssl), so Bad Guys could steal your cookie
and learn your password and log in as you and do Bad Things.  The method
outlined in the eagle book and implemented in Apache::Session doesn't have
this problem, and is suitable, e.g., for ecommerce or other
privacy-sensitive session tracking.  Now, maybe it's not essential for
slash to have this level of security/privacy, especially in the interests
of speed, but there are more secure ways of doing it.

Also, it would actually save the authentication database lookup, I
think...but would require an MD5 computation.

-n