[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

J C Lawrence claw@kanga.nu
Mon, 17 Jan 2000 15:26:27 -0800


On Mon, 17 Jan 2000 16:01:56 -0500 
Amos Latteier <Amos@digicool.com> wrote:

>> Its the same reason you don't use telnet on unprotected or
>> untrusted networks (and probably shouldne't even then).  The
>> general problem is that anyone can sniff the wire, pick up the
>> cookie, slap it in their own cookie file and instantly
>> impersonate you with all your access rights.  This is of course
>> why people use things like SSL and variously short lived session
>> keys and the like.

> I just spoke with Chris Petrilli who agrees with you. The PTK
> should not set long lived cookies with authentication information.

More significantly never put a clear text password in a cookie.  Put 
in a time-sensitive session key or some such which maps to an
authentication.  You then need to make sure that hacking up a cookie 
of the appropriate pattern won't authenticate you -- the easiest way 
of doing this is by keeping server-side state information logging
what session keys are currently out there and valid.

This is about as close as you can get to the old standard of "what
you have and what you know" with cookies.

-- 
J C Lawrence                                 Home: claw@kanga.nu
----------(*)                              Other: coder@kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--