Cookies and Authentication redux
After private discussions with several people, I am being convinced that Mailman should change the way it does cookies. Currently, the cookie has an `expires' header which is supposed to tell your browser to persist the cookie for some amount of time, possibly across browser sessions. This has several problems:
It's a security risk. If you're using a shared browser, your authenticated cookie can be hijacked by the next user.
It's prone to clock and timezone problems. This is the cause of at least one user's recent problems; maybe more people are suffering the same problem but don't know it.
The solution is two-fold I believe. First, Mailman should not set the
expires' header on the cookie at all. RFC 2109 says that browsers should then expire the cookie at the end of the session. Second, we should provide a Logout' button on the admin pages which will set
`max-age=0' to tell the browsers (according to RFC 2109) to end the
session.
This comes at a slight cost in convenience, but I think it's worth it. I could conceivably keep ADMIN_COOKIE_LIFE, default it to zero to mean session-cookies-only, and let the site admin set it to a non-zero value to indicate persistent cookie should be used.
On a related note, I think there may also be problems with some of the generated pages getting cached improperly, so I further propose to include the header 'Cache-control: no-cache' on all CGI pages.
Comments? -Barry
On Thu, Jul 20, 2000 at 02:07:46PM -0400, Barry A. Warsaw wrote:
Comments? -Barry
Agreed, except on one thing: expiring the cookie. We recently started testing with a new web-based email package, and it fixes some problems in that regard. With older/other packages, it's possible, after logging out, to go 'back' and 'reload' that page, and it'll show the page asif you are logged in. I'm not sure if that's a browser bug or not, but it certainly posed problems for us ;)
This new webmail apparently fixes that by overwriting the cookiedata with empty values, in addition to setting max-age to 0. It works quite well. I suggest adopting that practice. It shouldn't hurt to, in any case.
-- Thomas Wouters thomas@xs4all.net
Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
"TW" == Thomas Wouters thomas@xs4all.net writes:
TW> This new webmail apparently fixes that by overwriting the
TW> cookiedata with empty values, in addition to setting max-age
TW> to 0. It works quite well. I suggest adopting that
TW> practice. It shouldn't hurt to, in any case.Good point; I think I read that some place too. Not sure if it was in the RFC or some other doc. I'll make sure to do that when I add the logout button.
Thanks, -Barry
participants (2)
-
bwarsaw@beopen.com -
Thomas Wouters