Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
 > Why do sites insist on using cookies for user authentication? HTTP auth requires SSL for all connections or else passwords can be stolen -- do you include that in your "setup in 5 minutes" overhead? With cookies, you only need SSL on the login page if you make the cookie be an opaque ID into server state that has a time-out. In general, login cookies are more secure with less overhead. Secondarily, I don't know what the cookie is used for, but perhaps they intend to eventually (or in have previously done this) support some kind of session or login state; cookies are a natural for that (cf the title of the cookie RFC). Even if all that you're doing is avoiding re-verifying the password, that could be enough state to make a cookie reasonable. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
