W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: I-D ACTION:draft-ietf-http-state-mgmt-03.txt, .ps

From: Joseph Arceneaux <jla@arceneaux.com>
Date: Tue, 23 Jul 96 21:49 PDT
Message-Id: <m0uivsx-000A0FC@emptiness.arceneaux.com>
To: lentz@annie.astro.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
   From: Robert A. Lentz <lentz@annie.astro.nwu.edu>
   Date: Tue, 23 Jul 1996 19:44:44 -0500 (CDT)

   Greetings,

   The current cookie proposal appears insufficient to assure a secure
   environment for providing state management in an authenticated system
   where multiple users have access to the same single-user machine.
   ...

I believe there are a number of solutions to this problem, none of
which require changes to the protocol.

One example would be to store the user's password as part of the
session info on the server, and use it to encrypt/decrypt the cookie.
When the first student ends their session (or it times out), the
cookie stored on the browser side becomes meaningless until replaced
with a cookie for a new session.

Joe

----
Joseph Arceneaux
Arceneaux Consulting

http://www.arceneaux.com
jla@arceneaux.com
+1 415 648 9988 (direct)
+1 415 341 1395 (fax)
+1 500 488 9308
Received on Tuesday, 23 July 1996 21:54:47 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:05 EDT