[Seaside] Efficient & trustable authorisation checks?
Tim Rowledge
tim@sumeru.stanford.edu
Sat, 25 May 2002 12:30:34 -0700
In message <Pine.LNX.4.30.0205251205310.28009-100000@cable.beta4.com>
Avi Bryant <avi@beta4.com> wrote:
> Cookies are better protection from over-the-shoulder attacks - it's hard
> to steal someone's session id from across the room. There is, or was, a
> flag you could turn on in IAApplication that uses cookies instead of the
> url to store the session, but to be honest I'm not sure it survived the
> latest updates. If you decide to go that way I'll resurrect it.
OK, that would be good I suspect.
>
> However, even with cookies someone could (intentionally) give their
> session to someone else, or could try to brute force guess a valid session
> key. I don't think either of these are very likely, but the most secure
> way is still going to be to use HTTP auth and check the ID every time.
Err, sorry? HTTP auth? Wossat?
tim
--
Tim Rowledge, tim@sumeru.stanford.edu, http://sumeru.stanford.edu/tim
"#define QUESTION ((bb) || !(bb)) - Shakespeare."