[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] GNUmed web interface - authentication

From: Richard Taylor
Subject: Re: [Gnumed-devel] GNUmed web interface - authentication
Date: Tue, 12 Oct 2010 15:20:40 +0100
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100915 Thunderbird/3.1.4

On 07/10/2010 20:19, Luke Kenneth Casson Leighton wrote:
> On Thu, Oct 7, 2010 at 7:54 PM, Sebastian Hilbert
> <address@hidden> wrote:
>> On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
>>> Hi
>> Richard,
>>> It looks to me that there is a security problem with using session
>>> cookies as the method of linking the user identity to the database
>>> connection between requests. The concern is that it would be quite easy
>>> to steel the cookie (either by monitoring the network or by pulling it
>>> from the browser cookie store) and then hijacking the session.
>> That is indeed a problem.
>  you'd use HTTPS to alleviate the network monitoring issue, and i'd
> say that if the user allows access to the machine that is running the
> browser, such that the cookies could be obtained, you have a much
> bigger problem than just the cookies being obtained.

True. But I am aware of this being a real problem in some clinical settings.

>  i would absolutely love it for somebody else to replace the
> non-persistent-HTTP1.0->persistent-HTTP1.1 proxy that i had to write,
> it would be great.

I am thinking about it.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]