[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnumed-devel] GNUmed web interface - authentication
|
From: |
Richard Taylor |
|
Subject: |
Re: [Gnumed-devel] GNUmed web interface - authentication |
|
Date: |
Tue, 12 Oct 2010 15:20:40 +0100 |
|
User-agent: |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 |
On 07/10/2010 20:19, Luke Kenneth Casson Leighton wrote:
> On Thu, Oct 7, 2010 at 7:54 PM, Sebastian Hilbert
> <address@hidden> wrote:
>> On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
>>> Hi
>>>
>> Richard,
[snip]
>>
>>> It looks to me that there is a security problem with using session
>>> cookies as the method of linking the user identity to the database
>>> connection between requests. The concern is that it would be quite easy
>>> to steel the cookie (either by monitoring the network or by pulling it
>>> from the browser cookie store) and then hijacking the session.
>>
>> That is indeed a problem.
>
> you'd use HTTPS to alleviate the network monitoring issue, and i'd
> say that if the user allows access to the machine that is running the
> browser, such that the cookies could be obtained, you have a much
> bigger problem than just the cookies being obtained.
>
True. But I am aware of this being a real problem in some clinical settings.
> i would absolutely love it for somebody else to replace the
> non-persistent-HTTP1.0->persistent-HTTP1.1 proxy that i had to write,
> it would be great.
>
I am thinking about it.
R.