[
Lists Home |
Date Index |
Thread Index
]
> Why do sites insist on using cookies for user authentication?
HTTP auth requires SSL for all connections or else passwords can be
stolen -- do you include that in your "setup in 5 minutes" overhead?
With cookies, you only need SSL on the login page if you make the cookie
be an opaque ID into server state that has a time-out. In general,
login cookies are more secure with less overhead.
Secondarily, I don't know what the cookie is used for, but perhaps they
intend to eventually (or in have previously done this) support some kind
of session or login state; cookies are a natural for that (cf the title
of the cookie RFC). Even if all that you're doing is avoiding
re-verifying the password, that could be enough state to make a cookie
reasonable.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
