From 4ad7c9d6257ca106b2949d22f6300823190991a0 Mon Sep 17 00:00:00 2001 From: joey Date: Sun, 27 Aug 2006 20:25:05 +0000 Subject: * Patch from James Westby to add a --sslcookie switch, which forces cookies to only be sent over ssl connections to avoid interception. * Factor out the cgi header printing code into a new function. * Fix preferences page on anonok wikis; still need to sign in to get to the preferences page. --- doc/patchqueue/use-ssl-for-cookies.mdwn | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 doc/patchqueue/use-ssl-for-cookies.mdwn (limited to 'doc/patchqueue') diff --git a/doc/patchqueue/use-ssl-for-cookies.mdwn b/doc/patchqueue/use-ssl-for-cookies.mdwn deleted file mode 100644 index c2ee63782..000000000 --- a/doc/patchqueue/use-ssl-for-cookies.mdwn +++ /dev/null @@ -1,20 +0,0 @@ -It is very easy to stop the password being sniffed, you just use https:// for cgiurl -(with appropriately configure server of course), and disallow access to the cgiscript -over http. - -However the cookie is still sent for all requests, meaning that it could be stolen. -I don't know quite how well CGI::Session defends against this, but the best it could -do is probably tie it to an IP address, but that still leaves room for abuse. - -I have created a patch that adds a config option sslcookie, which causes the -cookie to have it's secure property set. This means that it is only sent over SSL. -So if you can configure apache to do what you want, you only have to change two options -(cgiurl and sslcookie) to encrypt all authentication data. - -The disadvantage is that if someone were to activate it while using http:// I think it -would mean they couldn't log in, as the browser would never offer the cookie. -I think I have made the documentation clear enough on this point. - -http://jameswestby.net/scratch/sslcookie.diff - --- JamesWestby \ No newline at end of file -- cgit v1.2.3