Cookie Trouble
I'm using Mozilla 1.3b and currently have to log myself in every hour or so. Beforehand, the login at least sustained while having the browser open. Any change happened in session management? One other thing: "Remember me" wrote the cookie indefinitely, some time ago. Now it seems it doesn't help, either in Mozilla nor in IE 6 with Antville-cookie allowed... I have to log myself in every time I open the browser. Is this wanted, security-wise?!
hns
Is your line to the internet subject to frequent reconfiguration, e.g. re-dial in or otherwise switching IP addresses? Are you going through a proxy server? That might explain your problems, because Antville session cookies rely in IP addresses to stay the same (for security considerations).
bens
Yeah.
What does enabling "remember me" do contrary to not enabling it? Because it seems to me that there is no difference in that IP change problem.
[I'd like to have it like this: It should write a cookie that doesn't rely on the IP and doesn't expire. Because, actually, when I'm on the road and want to post over a not secure (or not known) environment, I don't want to log on with my passwort, because it's all cleartext. I would like that the system recognizes my box (in this case a laptop) via the cookie. That's how it was before, if I remember correctly. Entering the passwort all the time is less secure than having it to enter once. I don't think anyone can steal the cookie off the box that easily?!]
nex
unfortunately i forgot the details about the cookie problem, but i think someone could fake your cookie if the IP didn't matter. the password is cleartext, yes, but someone who sniffs that off the line could also sniff the cookie off the line.
HTTPS would be cool, of course, i guess that only depends on the web server config.
bens
You're absolutely right: A stored cookie would be going over the line in cleartext if not https, so that wouldn't help.
What's with .htaccess-Password-Protection, btw? How is that managed? Looks like browser-based to me, without being connected to an IP. Could something like this be faked? What's technically happening in that respect? Does the browser have something like an unique ID or is the password reported over the line constantly again?
bens
Okay, it does. Being reported over and over again, that is.
bens
Now again, hns, what's the technical difference between having "remember me" turned on and turned off?