[Mailman-Developers] Cookies and Authentication redux

Barry A. Warsaw bwarsaw@beopen.com
Thu, 20 Jul 2000 14:07:46 -0400 (EDT)

After private discussions with several people, I am being convinced
that Mailman should change the way it does cookies.  Currently, the
cookie has an `expires' header which is supposed to tell your browser
to persist the cookie for some amount of time, possibly across browser
sessions.  This has several problems:

1) It's a security risk.  If you're using a shared browser, your
   authenticated cookie can be hijacked by the next user.

2) It's prone to clock and timezone problems.  This is the cause of at
   least one user's recent problems; maybe more people are suffering
   the same problem but don't know it.

The solution is two-fold I believe.  First, Mailman should not set the
`expires' header on the cookie at all.  RFC 2109 says that browsers
should then expire the cookie at the end of the session.  Second, we
should provide a `Logout' button on the admin pages which will set
`max-age=0' to tell the browsers (according to RFC 2109) to end the

This comes at a slight cost in convenience, but I think it's worth
it.  I could conceivably keep ADMIN_COOKIE_LIFE, default it to zero to
mean session-cookies-only, and let the site admin set it to a non-zero
value to indicate persistent cookie should be used.

On a related note, I think there may also be problems with some of the
generated pages getting cached improperly, so I further propose to
include the header 'Cache-control: no-cache' on all CGI pages.