OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ati

[ Lists Home | Date Index | Thread Index ]

Elliotte Rusty Harold wrote:

> At 7:05 PM -0800 1/5/04, Robert Koberg wrote:
> 
>>>  In a truly individualized situation all that's needed are URLs of 
>>> the form http://www.example.com/page.html?username=elharo
>>
>>
>>
>> Does your bank do this? If so, which bank do you use?
>> In other words, do you care if someone who knows or guesses your 
>> username can access your individualized situation?
> 
> 
> 
> You're missing a crucial point. The password which is also necessary for 
> access is not included in the URL. The URI identifies the resource but 
> it is not sufficient for access to the resource (unless that's what you 
> want of course. 


I must be missing something (definitely possible). If that URL is what 
tells the server that the request is for a resource you would not like 
others to access, then what does the password have to do with it? Or are 
you saying there is some server session being maintained (and so 
incurring all the overhead associated with it) (I doubt something like 
amazon maintains sessions)? If so, and you use a username to access the 
session, it still seems pretty insecure, at least during your active 
session.

...don't know if this is the best, but...
I generally have a user log in to verify as you mention. Then after 
authentication and before the next view is presented a user state object 
is created, populated and serialized using some random session 
identifier as the system id for the serialized object. Then the id is 
passed to a transformation to render a hidden input in the form to be 
submitted. The object can be deserialized on different machines to 
spread the load.

-Rob



> There are less sensitive situations where I might well 
> want to expose the contents of a personalized page to the world; e.g. my 
> wish list at amazon.com)
> 





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS