Subject:
|
Re: Web interface cancels (was Re: Let's define what an auction announcement/update is)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Tue, 28 Nov 2000 20:10:41 GMT
|
Viewed:
|
308 times
|
| |
|
|
On Tue, Nov 28, 2000 at 07:38:25PM +0000, David Eaton wrote:
> In lugnet.admin.general, Eric Joslin writes:
> > I think it could be cookie based (he said, while simulteneously knowing >nothing about cookies). After all, posting identity is cookie based, is it
> > not?
>
> Not really, although it can be. The problem being mainly that the web
> interface will still let you post if you don't have a cookie. It can
> actually give you a new one in some cases. So if I post a message as Bob
> Shmoe, I can get a cookie as him, then cancel his posts. Hence, the problem
> isn't really solved unless Todd implements some user tracking via cookies or
> something.
eh? the only way you can get an id cookie is by putting in the
confirmation code, isn't it? Also, if you can cancel messages only by you,
and only if you're logged in (have to be a member), that's pretty secure...
No way to get the member login cookie without going through the password
page...
> BUT, I suppose you COULD do it off of cookies in a limited way:
> -each post via the web interface has a cookie associated with it.
> -only browsers passing back that cookie are capable of cancelling that message.
>
> The upside is that it'd work, and it'd be secure. But you couldn't
> necessarily cancel posts you made from 'a long time ago' (if your cookies
> were since overwritten, lost, whatever), and you also couldn't cancel posts
> made with another browser (I.E. I can't cancel a post I made from home while
> at work). In other words, it'd be limited. But, yes, it could work. Although
> I dunno much about the message DB. It could be tough to implement on Todd's
> side. Dunno.
this would be a problem, since browsers only keep a limited amount of
cookies at any time... so the cookies would always get lost... also,
couldn't cancel messages here that I posted from another computer...
> I suppose that's true. Certainly if I was mad at Bob Shmoe, I could just
> post via the web interface and say "Hi, I'm an idiot, and I really think
> Dave's wicked cool. - Bob". Although I guess I'd like to have more security
> than less, if possible. Guess it boils down to how much work it is to get an
> authentication system and how Todd feels about it...
I believe the problem here is that, yes, you can secure the web interface
pretty easily - but securing nntp is more difficult, and securing smtp is
very close to impossible... so what's the point of getting only the web
interface?
--
Dan Boger / dan@peeron.com / www.peeron.com / ICQ: 1130750
<set:242_1>: International Flags (LEGO/Classic/Accessories), '58
|
|
Message has 2 Replies:
Message is in Reply To:
10 Messages in This Thread:
   
 
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
