[albatross-users] Re: HTTP state management without cookies?

[Dave Cole]

>>>>> "Andrew" == Andrew McNamara <andrewm at object-craft.com.au> writes:

Andrew> [BTW, we've set up an albatross-users mailing list - go to the
Andrew> Albatross home page to subscribe:

Andrew>     http://www.object-craft.com.au/projects/albatross/

>> Pls see reference to AuthCookie in the M2Crypto module in the
>> attached msg - useful for Albatross?

Andrew> Yep - I had a look at this about a week ago.

Andrew> It suffers the same problem as lot of other crypto stuff:
Andrew> export restrictions and patents. In this case, there is
Andrew> functionality they require from openssl that is often disabled
Andrew> in US-sourced systems.

Andrew> While that's another good reason to avoid RedHat, it doesn't
Andrew> really help the new Albatross user - discovering that they not
Andrew> only need to download M2Crypto, but also rebuild and install
Andrew> openssl from source before they can use Albatross is going to
Andrew> be daunting - they're likely to give up before they start.

Andrew> And making security an optional extra makes all of us nervous
Andrew> - someone, eventually, will misunderstand, rely on the weak
Andrew> security, and get burnt.

Andrew> We do, in fact, need a more portable method of generating
Andrew> secure session id's (/dev/urandom is probably fine when it's
Andrew> available, but not so useful for Windows users). Maybe the
Andrew> cookie stuff can be extracted from M2Crypto (or, at least,
Andrew> their technique for generating good session keys utilised).

Andrew and I discussed this and decided that the most simple solution
would be to use a secret (like the MD5 pickle signing secret) in the
session server to modify the time used to seed the random number
generator.

- Dave

-- 
http://www.object-craft.com.au