Re: LYNX-DEV 2.7 release.

[Foteos Macrides]

root <address@hidden> wrote:
>Foteos Macrides wrote:
>> 
>>      It has a compilation option to set never as the default, which
>> can be overridden in lynx.cfg, and the default can be toggled via a
>> -cookies command line switch.  It doesn't issue statusline messages
>> when it ignores Set-Cookie headers.  They would either whizz by too
>> fast to read, or you'd have to impose sleep()'s to make them persist,
>> which would be just as annoying as the prompts when you don't want
>> to accept any cookies during that session.
>> 
>>      If you haven't set or toggled never as the default, then the
>> default is to prompt for each new domain (and any new cookies from it,
>> if you don't set always or never for it).  You cannot set always as
>> the full session default, only never or prompt.
>> 
>>                              Fote
>
>Is there a reson why you cannot set an "always" value, since I cannot think
>of any seceurity issues (assuming the cookie storage has propper permissions
>(600), since the remote server can't pass data to other sites anyway.
>Anyway, I would think you should be able to set any of the three, for
>completeness.

        In the general Lynx case (i.e., without my SSL hooks patch or
Tom's SSL dameon) it's entirely a "privacy", not "security", issue.
That behavior reflects my personal judgment on how a browser such as
Lynx should behave, based on "Section 7. PRIVACY" of:

  Linkname: HTTP State Management Mechanism (cookie)
  URL:http://www.ics.uci.edu/pub/ietf/http/draft-ietf-http-state-mgmt-05.txt

and the discussions about State Management in the IETF-WG.  It should be
possible to set a browser such that it never accepts cookies by default,
which can be done via the SET_COOKIES compilation (userdefs.h) and
configuration (lynx.cfg) symbols, and via the -cookies toggle if the
SET_COOKIES symbol was left TRUE.  It should never be possible for a
user to accept cookies unintentionally, and if a site administrator could
set a global symbol for making accept the default, some might, and create
that situation.  I thus would never include that in the FM code set, though
it would be a simple patch if others wanted to offer it, and hopefully
also accept responsibility for possible consequences.

        There are a number of secure servers which use cookies
inappropriately in lieu of proper authentication.  They typically
request initial authentication, pass a cookie in the reply, and
then use the cookie, rather than authentication principles, for
decisions on whether to honor subsequent requests.  That creates
a true "security" issue, e.g., if its a Web based banking service.
This is yet another reason why, IMHO, Lynx should never support
the possibility of it's users accepting and sending cookies unaware
that this is happening.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;