[Seaside] Efficient & trustable authorisation checks?
Sat, 25 May 2002 12:30:34 -0700
In message <Pine.LNX.firstname.lastname@example.org>
Avi Bryant <email@example.com> wrote:
> Cookies are better protection from over-the-shoulder attacks - it's hard
> to steal someone's session id from across the room. There is, or was, a
> url to store the session, but to be honest I'm not sure it survived the
> latest updates. If you decide to go that way I'll resurrect it.
OK, that would be good I suspect.
> However, even with cookies someone could (intentionally) give their
> session to someone else, or could try to brute force guess a valid session
> key. I don't think either of these are very likely, but the most secure
> way is still going to be to use HTTP auth and check the ID every time.
Err, sorry? HTTP auth? Wossat?
Tim Rowledge, firstname.lastname@example.org, http://sumeru.stanford.edu/tim
"#define QUESTION ((bb) || !(bb)) - Shakespeare."