Christian Gilmore wrote:
4. I cannot modify the cookie and should not send additional cookies.
[snip]
What exactly do you mean by this? What are you trying to accomplish? Do you mean "The user cannot modify the cookie?" If thats what you mean, then yes, there are ways to do that. Basically you have to cryptographically sign the cookie using a secret that is unknown to the end user. There is an example of this in the Eagle book, and Apache::AuthTicket uses a scheme similar to this. Because you cant control what the cookie server sends, you'd probably have to do some sort of double redirect For example:about 4. Can I use an unmodified AuthCookie to ensure that whatever format the inbound cookie is in is sufficient and will not need to be modified or supplemented? I believe the answer is no, and, if it is, should this be
o user is redirected to auth server
o auth server returns cookie and redirects to /SIGNHANDLER
o signhandler gets the cookie, cryptographically signs it, and
returns the cookie to the client and redirects to real location
o user is redirected to real location.
If thats not what you mean, please elaborate.
Regards,
Mike
