On 5/29/07, Stut <stuttle@xxxxxxxxx> wrote:
Don't get me wrong, I don't want to discourage anyone from thinking about ways to improve it, but personally I consider this issue done to death.
Well, I think the difference is that you send one key (a session identifier) and hash on user agent report, while I send an authentication key and a secondary hash key stored in cookies. I'm sending only nominally more information than you are, so I don't think there's THAT much difference between what we're saying here. As a lot of users would store session id's as cookies, and fall back to a query string id, like I said, I don't see much of a difference in our approaches, except you don't seem to think mine is acceptable since it's not a "session" id. If you supply the salt (instead of relying on it being provided, vis a vis, user agent report), and store that in a cookie on the client, and then that client can't reproduce an accurate, unchanged version of that cookie, what change in either the salt and/or the auth id would make this approach unacceptable (and not break the authentication)? I see major web firms use cookies all the time, so I'm not sure why there is a bias against cookies, besides a user that doesn't support cookies in the first place (which is a real concern, I admit). I remember a poster on a wall of a tech dept my friend worked for that had a faux-advert for a "security dongle" for a computer. Essentially, it was a rubber stopper that was put on a power cable that provided a "100% secure air gap." Whether it's been settled or not, I'm not nearly as played out on discussing it (especially if I'm not getting aspects correct) as I am about browser bickering, OS wars, and all the other "dispassionate" discourse currently "enlightening" the internet. At least with security, there's some known benefit to discussing it! -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: "If the only tool you have is a hammer, you tend to see every problem as a nail." $$ -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: "If the only tool you have is a hammer, you tend to see every problem as a nail." $$
