[Seaside] Efficient & trustable authorisation checks?

Tim Rowledge tim@sumeru.stanford.edu
Sat, 25 May 2002 12:30:34 -0700

In message <Pine.LNX.4.30.0205251205310.28009-100000@cable.beta4.com>
          Avi Bryant <avi@beta4.com> wrote:

> Cookies are better protection from over-the-shoulder attacks - it's hard
> to steal someone's session id from across the room.  There is, or was, a
> flag you could turn on in IAApplication that uses cookies instead of the
> url to store the session, but to be honest I'm not sure it survived the
> latest updates.  If you decide to go that way I'll resurrect it.
OK, that would be good I suspect.
> However, even with cookies someone could (intentionally) give their
> session to someone else, or could try to brute force guess a valid session
> key.  I don't think either of these are very likely, but the most secure
> way is still going to be to use HTTP auth and check the ID every time.
Err, sorry? HTTP auth? Wossat?


Tim Rowledge, tim@sumeru.stanford.edu, http://sumeru.stanford.edu/tim
"#define QUESTION ((bb) || !(bb))  - Shakespeare."