On Fri, Nov 16, 2001 at 02:09:25AM +0100, Tom Bille wrote:
The aim of the cookie example in the eagle book is a bit more than just
authentication. Most of the answers here to use a
session ID here are quite right for most purposes, but the code in the eagle book
offers to store information
.
--Joe Breeden
---
If it compiles - Ship It!
Aranea Texo
-Original Message-
From: David Young [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 6:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Cookie authentication
I don't think
session from the cookie. Pretty nifty trick.
- Kyle
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
David Young
Sent: Thursday, November 15, 2001 4:30 PM
To: [EMAIL PROTECTED]
Subject: Re: Cookie authentication
I don't think that really solves
If you happen to type in a URL, they can revive your
session from the cookie. Pretty nifty trick.
This would seem to be a security hole to me. URLs appear in the logs
of the server as well as any proxy servers along the way. If the URL
contains reusuable auth info, anybody accessing any of
]
Organization: bivio Software Artisans, Inc. http://www.bivio.net
Date: Fri, 16 Nov 2001 15:22:02 -0700
To: [EMAIL PROTECTED]
Subject: RE: Cookie authentication
If you happen to type in a URL, they can revive your
session from the cookie. Pretty nifty trick.
This would seem to be a security
If you happen to type in a URL, they can revive your
session from the cookie. Pretty nifty trick.
This would seem to be a security hole to me. URLs appear in the logs
of the server as well as any proxy servers along the way. If the URL
contains reusuable auth info, anybody accessing
This may seem off subject but, If you bare with me,
I don't think it is. I am interested in using the cookie based system
referred to in the programming the apache api book but oftend wonder
this.
Can you count on everyone to use cookies. It
seems that some surfers are afraid of cookes are
John,
We
rolled out cookie authentication (Auth::Cookie)for our secured support
website around Jan 2001and we never received one complaint (and our people
complain about everything:)
It
seems you can't do anything online without having cookies turned on ( yahoo,
bankone, huntington, ebay
On Thu, 15 Nov 2001, John Michael wrote:
Date: Thu, 15 Nov 2001 14:02:04 -0600
From: John Michael [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Cookie authentication
This may seem off subject but, If you bare with me, I don't think it
is. I am interested in using the cookie based
Hello,
CDIt seems you can't do anything online without having cookies turned on
CD(yahoo, bankone, huntington, ebay, etrade ) and I think internet users
CDhave accepted this.
Not those clever European governmental folks, though.
http://www.vnunet.com/News/107416
I seem to recall at least one major Apache module having an option
to use URL-based authentication instead of cookie-based... but I can't
seem to find that from a cursory perusal of CPAN.
Apache::ASP does this.
- Perrin
---
If it compiles - Ship It!
-Original Message-
From: Andrew Ho [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 2:17 PM
To: Charles Day
Cc: John Michael; mod_perl List
Subject: Re: Cookie authentication
Hello,
CDIt seems you can't do anything online
On 15 Nov 2001, at 12:16, Andrew Ho wrote:
CDIt seems you can't do anything online without having cookies turned on
CD(yahoo, bankone, huntington, ebay, etrade ) and I think internet users
CDhave accepted this.
Methinks there is a need to write a transparent store cookies on URL
module. I
---
If it compiles - Ship It!
Aranea Texo
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 4:25 PM
To: mod_perl List
Subject: Re: Cookie authentication
On 15 Nov 2001, at 12:16, Andrew Ho wrote:
CDIt seems
Here we insert a session id on all requests, with Apache::Session whether
the request is for a static or dynamic page and have a TransHandler to
strip
the session id and insert it into %ENV which seems to work for us. With
this
approach we don't necessarily need cookies, but verifying if a
At 02:02 PM 11/15/01 -0600, John Michael wrote:
This may seem off subject but, If you bare with me, I don't think it is. I am interested in using the cookie based system referred to in the programming the apache api book but oftend wonder this.
Can you count on everyone to use cookies.
, November 15, 2001 4:24 PM
Subject: Re: Cookie authentication
On 15 Nov 2001, at 12:16, Andrew Ho wrote:
CDIt seems you can't do anything online without having cookies turned
on
CD(yahoo, bankone, huntington, ebay, etrade ) and I think internet
users
CDhave accepted this.
Methinks
:52 PM
To: Joe Breeden; mod_perl List
Subject: Re: Cookie authentication
Here we insert a session id on all requests, with
Apache::Session whether
the request is for a static or dynamic page and have a
TransHandler to
strip
the session id and insert it into %ENV which seems to work
At 05:20 PM 11/15/01 -0600, John Michael wrote:
Thanks.
I did not know that you could verify that someone has cookies turned on.
Can you point me to where i can find out how to do this? Is there a
variable that you can check?
You set a cookie and do a redirect (if you need the cookie right
Excuse my question if it seems dumb I'm not 100% on NAT and
proxies, but the Eagle book says to 1 Choose a secret, 2 Select fields to
be
user for the MAC. It also suggests to use the remote IP address as one of
those fields. 3 Compute the MAC via a MD5 hash and store in the clients
browser.
something or go to a sensitive area, you are
asked to sign-in and sent a cookie over https.
From: Perrin Harkins [EMAIL PROTECTED]
Date: Thu, 15 Nov 2001 18:40:03 -0500
To: Joe Breeden [EMAIL PROTECTED], mod_perl List [EMAIL PROTECTED]
Subject: Re: Cookie authentication
Excuse my question
The aim of the cookie example in the eagle book is a bit more than just
authentication. Most of the answers here to use a
session ID here are quite right for most purposes, but the code in the eagle book
offers to store information on the client side
with the security of a signature. Its NOT
22 matches
Mail list logo