[albatross-users] Re: [Fwd: HTTP state management without cookies?]
Andrew McNamara
andrewm at object-craft.com.au
Thu Feb 21 10:34:05 EST 2002
[BTW, we've set up an albatross-users mailing list - go to the Albatross
home page to subscribe:
http://www.object-craft.com.au/projects/albatross/
>Pls see reference to AuthCookie in the M2Crypto module in the attached
>msg - useful for Albatross?
Yep - I had a look at this about a week ago.
It suffers the same problem as lot of other crypto stuff: export
restrictions and patents. In this case, there is functionality they
require from openssl that is often disabled in US-sourced systems.
While that's another good reason to avoid RedHat, it doesn't really help
the new Albatross user - discovering that they not only need to download
M2Crypto, but also rebuild and install openssl from source before they
can use Albatross is going to be daunting - they're likely to give up
before they start.
And making security an optional extra makes all of us nervous - someone,
eventually, will misunderstand, rely on the weak security, and get burnt.
We do, in fact, need a more portable method of generating secure session
id's (/dev/urandom is probably fine when it's available, but not so useful
for Windows users). Maybe the cookie stuff can be extracted from M2Crypto
(or, at least, their technique for generating good session keys utilised).
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list