[chopwood] / cookies.fhtml

~1[<!-- -*-html-*-
  --
  -- Information about cookies
  --
  -- (c) 2013 Mark Wooding
  -->

<!------- Licensing notice --------------------------------------------------
  --
  -- This file is part of Chopwood: a password-changing service.
  --
  -- Chopwood is free software; you can redistribute it and/or modify
  -- it under the terms of the GNU Affero General Public License as
  -- published by the Free Software Foundation; either version 3 of the
  -- License, or (at your option) any later version.
  --
  -- Chopwood is distributed in the hope that it will be useful,
  -- but WITHOUT ANY WARRANTY; without even the implied warranty of
  -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  -- GNU Affero General Public License for more details.
  --
  -- You should have received a copy of the GNU Affero General Public
  -- License along with Chopwood; if not, see
  -- <http://www.gnu.org/licenses/>.
  -->~]~

<h1>Why and how Chopwood uses cookies</h1>

<h2>Which cookies does Chopwood actually store?</h2>

<p>Chopwood uses only one cookie, named <b>chpwd-token</b>.  The cookie is
stored with a maximum lifetime of 25 minutes: after this time, your browser
should forget all about it (and the server will stop caring about what it
means).

<h2>What do you need this cookie for?</h2>

<p>The cookie contains a token which tells the server that you've logged in
properly.  We could have chosen to use a hidden form field to carry this
token about, but that causes other trouble.

<p>For example, if we used <b>GET</b> requests then the token would appear as
part of a URL, where it would end up being written in the location bar of
many browsers, stored in history databases, many even sent to random cloud
services; this obviously has an adverse effect on security.  Also, the token
is kind of long and ugly.

<p>We could avoid this problem by using <b>POST</b> requests everywhere, but
that causes other trouble.  In particular, you'd get that annoying
<blockquote>
  The page that you&rsquo;re looking for used information that you
  entered.  Returning to hat page might cause any action that you took to be
  repeated.
</blockquote>
message whenever you hit the reload button.

<h2>What's in this cookie?</h2>

<p>If you actually look at the cookie, you find that it looks something like
this:
<blockquote>
  <tt>1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
</blockquote>
(Did I say something about long and ugly?)  It consists of four pieces
separated by dots &lsquo;<tt>.</tt>&rsquo;.

<dl>
<dt>Datestamp
<dd>The time at which the cookie was issued, as a simple count of (non-leap)
seconds since 1974&ndash;01&ndash;01 00:00:00 UTC (or what would have been
that if UTC had existed back then in its current form).

<dt>Nonce
<dd>This is just a random string.  When you change a password, the server
checks that the request includes a copy of this nonce, as a protection
against
<a href='http://en.wikipedia.org/wiki/Cross-site_request_forgery'><em>cross-site
request forgery</em></a> attacks.

<dt>Tag
<dd>This is a cryptographic check that the other parts of the token haven't
been modfied by an attacker.

<dt>User name
<dd>Your user name, in plain text.
</dl>

<h2>How do I know you're not using this as part of some hideous behavioural
advertising scheme?</h2>

<p>That's tricky.  I could tell you that this program is
<a href='http://www.gnu.org/philosophy/free-sw.html'>free software</a>, and
that you can
<a href="~={script}H/~={package}H-~={version}H.tar.gz">">download its
source code</a> and check for yourself.

<p>That's true, except that it shouldn't do much to convince you that this
server is actually running the code it claims to be.  And anyway, Chopwood
itself represents only one of many bits of software which could be keeping
track of you somehow through this cookie.

<p>So, really, it comes down to trust.  Sorry.

~1[<!------- That's all, folks ------------------------------------------>~]~
Commit	Line	Data
a2916c06 MW	1	~1[<!-- --html--
	2	--
	3	-- Information about cookies
	4	--
	5	-- (c) 2013 Mark Wooding
	6	-->
	7
	8	<!------- Licensing notice --------------------------------------------------
	9	--
	10	-- This file is part of Chopwood: a password-changing service.
	11	--
	12	-- Chopwood is free software; you can redistribute it and/or modify
	13	-- it under the terms of the GNU Affero General Public License as
	14	-- published by the Free Software Foundation; either version 3 of the
	15	-- License, or (at your option) any later version.
	16	--
	17	-- Chopwood is distributed in the hope that it will be useful,
	18	-- but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	-- GNU Affero General Public License for more details.
	21	--
	22	-- You should have received a copy of the GNU Affero General Public
	23	-- License along with Chopwood; if not, see
	24	-- <http://www.gnu.org/licenses/>.
	25	-->~]~
	26
	27	<h1>Why and how Chopwood uses cookies</h1>
	28
	29	<h2>Which cookies does Chopwood actually store?</h2>
	30
	31	<p>Chopwood uses only one cookie, named <b>chpwd-token</b>. The cookie is
	32	stored with a maximum lifetime of 25 minutes: after this time, your browser
	33	should forget all about it (and the server will stop caring about what it
	34	means).
	35
	36	<h2>What do you need this cookie for?</h2>
	37
	38	<p>The cookie contains a token which tells the server that you've logged in
	39	properly. We could have chosen to use a hidden form field to carry this
	40	token about, but that causes other trouble.
	41
	42	<p>For example, if we used <b>GET</b> requests then the token would appear as
	43	part of a URL, where it would end up being written in the location bar of
	44	many browsers, stored in history databases, many even sent to random cloud
	45	services; this obviously has an adverse effect on security. Also, the token
	46	is kind of long and ugly.
	47
	48	<p>We could avoid this problem by using <b>POST</b> requests everywhere, but
	49	that causes other trouble. In particular, you'd get that annoying
	50	<blockquote>
	51	The page that you’re looking for used information that you
	52	entered. Returning to hat page might cause any action that you took to be
	53	repeated.
	54	</blockquote>
	55	message whenever you hit the reload button.
	56
	57	<h2>What's in this cookie?</h2>
	58
	59	<p>If you actually look at the cookie, you find that it looks something like
	60	this:
	61	<blockquote>
	62	<tt>1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
	63	</blockquote>
	64	(Did I say something about long and ugly?) It consists of four pieces
65	separated by dots ‘<tt>.</tt>’.
66
67	<dl>
68	<dt>Datestamp
69	<dd>The time at which the cookie was issued, as a simple count of (non-leap)
70	seconds since 1974–01–01 00:00:00 UTC (or what would have been
71	that if UTC had existed back then in its current form).
72
73	<dt>Nonce
74	<dd>This is just a random string. When you change a password, the server
75	checks that the request includes a copy of this nonce, as a protection
76	against
77	<a href='http://en.wikipedia.org/wiki/Cross-site_request_forgery'><em>cross-site
78	request forgery</em></a> attacks.
79
80	<dt>Tag
81	<dd>This is a cryptographic check that the other parts of the token haven't
82	been modfied by an attacker.
83
84	<dt>User name
85	<dd>Your user name, in plain text.
86	</dl>
87
88	<h2>How do I know you're not using this as part of some hideous behavioural
89	advertising scheme?</h2>
90
91	<p>That's tricky. I could tell you that this program is
92	<a href='http://www.gnu.org/philosophy/free-sw.html'>free software</a>, and
8c4d90a3 MW	93	that you can
	94	<a href="~={script}H/~={package}H-~={version}H.tar.gz">">download its
	95	source code</a> and check for yourself.
a2916c06 MW	96
	97	<p>That's true, except that it shouldn't do much to convince you that this
	98	server is actually running the code it claims to be. And anyway, Chopwood
	99	itself represents only one of many bits of software which could be keeping
	100	track of you somehow through this cookie.
	101
	102	<p>So, really, it comes down to trust. Sorry.
	103
	104	~1[<!------- That's all, folks ------------------------------------------>~]~