On or about 01 Dec, 2001, Mike Castle <[EMAIL PROTECTED]> wrote: > On Sat, Dec 01, 2001 at 12:58:44PM -0800, Michael Warner wrote: > > "FORCE_SSL_COOKIES_SECURE:TRUE" keeps me from logging in via the > > https:// route. When you get routed from the https:// login to the > > http:// mail page, it doesn't know what to do with the secure > > cookie. I'm guessing, anyway. I'd always just left it set TRUE > > Hmmm. Maybe lynx should notify the user with something like "I have a > cookie I might use, but it's for https (or vice-versa)." Or something like > that? Maybe it does and I've just never triggered it.
I don't know enough (read: I know nothing) about standard practice in the use of secure cookies, or about secure cookies themselves, for that matter, to venture an opinion. What is a secure cookie? Handshaking plus encryption? Is redirecting from a secure https://login.server to an unsecure http://content.server a Bad Thing? If not, can anybody point me to an RFC-like object that codifies the SHOULDs, MAYs and MUSTs of the transaction? If not, is there a list concensus on real-world conditions in this area? The only two https:// sites I've noticed have tried to ship me off to an http:// server, and failed with a secure cookie. I'm pretty sure I've used a few other https sites (though not many), and didn't have a problem. I'm guessing now that they kept the whole session https, and cookies weren't an issue. Absent knowledge, I guess I'd leave the status quo (secure cookies off by default, right?) alone, maybe adding a warning to the lynx.cfg comment about the possible pit-falls of enabling it. I'd probably shy away from the prompt idea on the basis of anti-feeping-creaturism, and a personal antipathy toward the nagging little buggers, but if there's enough real-world variability in site behavior to make it useful, I might be swayed. The most important thing is what, if anything, the standard says. I'm used to being smug about Lynx doing the Right Thing, and don't want to give that up. Even caving in to serial-<BR>-ers and incompetent commenters rankles :) So, anybody willing to offer a learned discourse &/or an RFC reference? -- Michael Warner | Procrastinate now. <[EMAIL PROTECTED]> | ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
