[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Re: Cookies at XML Europe 2004 -- Call for Particip ati

• To: Elliotte Rusty Harold <elharo@m...>
• Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• From: Robert Koberg <rob@k...>
• Date: Mon, 05 Jan 2004 22:13:04 -0800
• Cc: XML-DEV <xml-dev@l...>
• In-reply-to: <p06010206bc1fe8746afc@[192.168.254.4]>
• References: <Pine.LNX.4.44L0.0401051922020.4127-100000@s...> <p06010202bc1fcbf7b9a4@[192.168.254.4]> <3FFA260B.902@k...> <p06010206bc1fe8746afc@[192.168.254.4]>
• User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3

Elliotte Rusty Harold wrote:

> At 7:05 PM -0800 1/5/04, Robert Koberg wrote:
> 
>>>  In a truly individualized situation all that's needed are URLs of 
>>> the form http://www.example.com/page.html?username=elharo
>>
>>
>>
>> Does your bank do this? If so, which bank do you use?
>> In other words, do you care if someone who knows or guesses your 
>> username can access your individualized situation?
> 
> 
> 
> You're missing a crucial point. The password which is also necessary for 
> access is not included in the URL. The URI identifies the resource but 
> it is not sufficient for access to the resource (unless that's what you 
> want of course. 


I must be missing something (definitely possible). If that URL is what 
tells the server that the request is for a resource you would not like 
others to access, then what does the password have to do with it? Or are 
you saying there is some server session being maintained (and so 
incurring all the overhead associated with it) (I doubt something like 
amazon maintains sessions)? If so, and you use a username to access the 
session, it still seems pretty insecure, at least during your active 
session.

...don't know if this is the best, but...
I generally have a user log in to verify as you mention. Then after 
authentication and before the next view is presented a user state object 
is created, populated and serialized using some random session 
identifier as the system id for the serialized object. Then the id is 
passed to a transformation to render a hidden input in the form to be 
submitted. The object can be deserialized on different machines to 
spread the load.

-Rob



> There are less sensitive situations where I might well 
> want to expose the contents of a personalized page to the world; e.g. my 
> wish list at amazon.com)
> 

• Follow-Ups:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Elliotte Rusty Harold <elharo@m...>

• References:
  • RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Rich Salz <rsalz@d...>
  • RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Elliotte Rusty Harold <elharo@m...>
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Robert Koberg <rob@k...>
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Elliotte Rusty Harold <elharo@m...>

• Prev by Date: Re: Globbing versus Regular Expressions (was: Regular Associations)
• Next by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Index(es):
  • Date
  • Thread