[OpenID] rfc2817: https vs http
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Sep 2 01:01:44 UTC 2008
>typically last on the order of five minutes, an insanely conservative
>figure.
>
>What we need is something like HTTPS, shareable across protocols, with
>caches that last at least hours, maybe days.
You can use a custom session handler (not too difficult - databases
work for this) to set your own duration. But the issue here isn't
convenience, it's security. No matter how impeccable the cryptography
end is, it can't detect when a thief has broken into the user's home
and is logging into their sessions. Who logs out when they don't need
to? Or when a temporary network outage prevents someone (let's call
her Alice) at a public terminal from logging out (because it's the
remote server that registers this), and that person doesn't know how
to delete cookies (or doesn't have the permissions on that system to
do so), but has to leave before the network comes back up, and the
next person (let's call him Bob) to visit that site will be prepared
to log into Bob's account, but instead will find that the site
recognizes their computer and says "Hello, Alice. Welcome . . . "
-Shade
More information about the general
mailing list