[albatross-users] Re: HTTP state management without cookies?
Dave Cole
djc at object-craft.com.au
Thu Feb 21 21:10:48 EST 2002
>>>>> "Andrew" == Andrew McNamara <andrewm at object-craft.com.au> writes:
Andrew> [BTW, we've set up an albatross-users mailing list - go to the
Andrew> Albatross home page to subscribe:
Andrew> http://www.object-craft.com.au/projects/albatross/
>> Pls see reference to AuthCookie in the M2Crypto module in the
>> attached msg - useful for Albatross?
Andrew> Yep - I had a look at this about a week ago.
Andrew> It suffers the same problem as lot of other crypto stuff:
Andrew> export restrictions and patents. In this case, there is
Andrew> functionality they require from openssl that is often disabled
Andrew> in US-sourced systems.
Andrew> While that's another good reason to avoid RedHat, it doesn't
Andrew> really help the new Albatross user - discovering that they not
Andrew> only need to download M2Crypto, but also rebuild and install
Andrew> openssl from source before they can use Albatross is going to
Andrew> be daunting - they're likely to give up before they start.
Andrew> And making security an optional extra makes all of us nervous
Andrew> - someone, eventually, will misunderstand, rely on the weak
Andrew> security, and get burnt.
Andrew> We do, in fact, need a more portable method of generating
Andrew> secure session id's (/dev/urandom is probably fine when it's
Andrew> available, but not so useful for Windows users). Maybe the
Andrew> cookie stuff can be extracted from M2Crypto (or, at least,
Andrew> their technique for generating good session keys utilised).
Andrew and I discussed this and decided that the most simple solution
would be to use a secret (like the MD5 pickle signing secret) in the
session server to modify the time used to seed the random number
generator.
- Dave
--
http://www.object-craft.com.au
More information about the Albatross-users
mailing list