[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

J C Lawrence claw@kanga.nu
Mon, 17 Jan 2000 22:57:23 -0800


On Mon, 17 Jan 2000 16:09:13 -0500 
Paul Everitt <paul@digicool.com> wrote:

> Amos Latteier wrote:
>> I just spoke with Chris Petrilli who agrees with you. The PTK
>> should not set long lived cookies with authentication
>> information.

> I disagree.  The "password in cleartext on the wire" is the same
> for HTTP Basic Authenication as it is for cookies.  If people want
> to discard their login information, all they have to do is click
> "Logout".

This is partially a human factors question and partially a security
model question.

The thing you don't want to do is to put your PWs in the clear in
your cookies.  If you do anybody who sniffs a cookie gets everything
forever (they can go change the PW and lock the person out etc).
What you do instead is set up some sort of short lived
authentication token that matches a record on the server and equates
to "logged in".  If someone sniffs the cookie they can then only get
in for the short period that the cookie lives. You then require PW
authentication in addition to the token for all major operations
such as PW changes, account creations, etc.  

In fact you can extend this a *little* further by requiring all
instances of the same token to be presented from the same IP that
originally created the token.  This is not really secure as it
doesn't protect against IP spoofing and a host of other silliness,
but it is about as close as you can get to a decently tight system
without involving digital signatures and cryto.  It is about as
close as you can get to the old basic of "what you have plus what
you know" with cookies.

> The vast, vast majority of sites with identities, IMO, use
> long-lived cookies, but ask people if it is OK.  People building
> sites with our software should be able to build sites as "usable"
> as competitive sites, and have an option to clamp down as they
> wish.

There is always the trade-off between usabilitya nd security.
That's nothing new.  I would argue however that e have a
responsibility for making a system that can be easily bolted down as
much as possible without involving crypto.  

Heck, even the above system used with long lived cookies is better
than nothing.

-- 
J C Lawrence                                 Home: claw@kanga.nu
----------(*)                              Other: coder@kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--