[Trac] Headline news: Cookie expiration causes boss to panic
Emmanuel Blot
eblotml at free.fr
Tue Feb 8 19:42:13 EST 2005
> I've seen cvstrac hacked too many times to think easing up on security
> checks is a good idea. It costs one extra mouse click a day to re-login.
I don't see how a session cookie can make the difference ?
I don't believe that a session cookie can improve the security: if HTTP
line gets hacked, there is no way a session cookie can provide higher
security. There is no challenge key or anything like that with a cookie.
It is a pure passive information sent back by the browser to the web server.
If you want to achieve better security, first thing is to use HTTPS
protocol, where the user/passwd (and the session cookie) are encrypted,
so forging the communication is far more difficult.
I never expect a web application to provide a high level of security. I
prefer to bet on the communication protocol.
Nevertheless, I don't really care about security: Trac is used on an
Intranet, and security is not an issue.
I do not want to remove the session management out of Trac: I'd just
like to get a way to disable it in my environment.
Thanks,
Emmanuel
More information about the Trac
mailing list