diff options
author | www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-08-27 11:40:29 +0000 |
---|---|---|
committer | www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-08-27 11:40:29 +0000 |
commit | 9d0902a7503feb775e6b7a032641f0a970cd5ad1 (patch) | |
tree | f7e7935eb0fd9be45932b0fafe62edf98a311e34 | |
parent | 24359d670d8572630f5a447b8f46e955c1fb3fa4 (diff) |
web commit by JamesWestby
-rw-r--r-- | doc/patchqueue/use-ssl-for-cookies.mdwn | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/doc/patchqueue/use-ssl-for-cookies.mdwn b/doc/patchqueue/use-ssl-for-cookies.mdwn new file mode 100644 index 000000000..c2ee63782 --- /dev/null +++ b/doc/patchqueue/use-ssl-for-cookies.mdwn @@ -0,0 +1,20 @@ +It is very easy to stop the password being sniffed, you just use https:// for cgiurl +(with appropriately configure server of course), and disallow access to the cgiscript +over http. + +However the cookie is still sent for all requests, meaning that it could be stolen. +I don't know quite how well CGI::Session defends against this, but the best it could +do is probably tie it to an IP address, but that still leaves room for abuse. + +I have created a patch that adds a config option sslcookie, which causes the +cookie to have it's secure property set. This means that it is only sent over SSL. +So if you can configure apache to do what you want, you only have to change two options +(cgiurl and sslcookie) to encrypt all authentication data. + +The disadvantage is that if someone were to activate it while using http:// I think it +would mean they couldn't log in, as the browser would never offer the cookie. +I think I have made the documentation clear enough on this point. + +http://jameswestby.net/scratch/sslcookie.diff + +-- JamesWestby
\ No newline at end of file |