[Mailman-Developers] cookies

bwarsaw@python.org bwarsaw@python.org
Wed, 10 May 2000 09:50:10 -0400 (EDT)


>>>>> "TW" == Thomas Wouters <thomas@xs4all.net> writes:

    >> I've been playing with SourceForge a lot lately[1] and I like
    >> what they do.  You login with username/password over a secure
    >> link and once logged in, your primary interaction is across
    >> that link.  Seems intuitive, secure, and convenient.  This is
    >> the direction I think I'd like to go in.

    TW> Hm, I'm not sure how this would work. You log in once through
    TW> SSL and your ipaddress gets stored in a temporary access list
    TW> ? Or does it use some kind of persistant connection ? SSH +
    TW> port forwarding ?

I think it's simpler than that.  The login screen is an https URL, so
presumably your password is sent over encrypted.  They do drop a
cookie on you, so nothing's different there, but (almost) every URL
you hit from there on out is an https.

Coffee taking effect now, maybe the only thing that's different is
that the login happens over https, which, given that we're emailing
plaintext password reminders, probably isn't such a big deal.

On the other hand, they way SF /seems/ to handle lost passwords is
that they email your account with a URL you can use to change your
password and login.  I say seems, 'cause I didn't actually try it out
(don't want to invalidate my password :).  Since password reminders
gets a fair number of negative responses both from admins and users,
this might be a more reasonable approach to take once we have a RUD
(Real User Database).

-Barry