<h2>What do you need this cookie for?</h2>
-<p>The cookie contains a token which tells the server that you've logged in
-properly. We could have chosen to use a hidden form field to carry this
-token about, but that causes other trouble.
+<p>The cookie contains a token which tells the server that you’ve
+logged in properly. We could have chosen to use a hidden form field to
+carry this token about, but that causes other trouble.
<p>For example, if we used <b>GET</b> requests then the token would appear as
part of a URL, where it would end up being written in the location bar of
is kind of long and ugly.
<p>We could avoid this problem by using <b>POST</b> requests everywhere, but
-that causes other trouble. In particular, you'd get that annoying
+that causes other trouble. In particular, you’d get that annoying
<blockquote>
The page that you’re looking for used information that you
- entered. Returning to hat page might cause any action that you took to be
- repeated.
+ entered. Returning to that page might cause any action that you took
+ to be repeated.
</blockquote>
message whenever you hit the reload button.
-<h2>What's in this cookie?</h2>
+<h2>What’s in this cookie?</h2>
<p>If you actually look at the cookie, you find that it looks something like
this:
<blockquote>
- <tt>1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
+ <tt>1357322139.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
</blockquote>
-(Did I say something about long and ugly?) It consists of four pieces
+(Did I say something about long and ugly?) It consists of three pieces
separated by dots ‘<tt>.</tt>’.
<dl>
<dt>Datestamp
<dd>The time at which the cookie was issued, as a simple count of (non-leap)
-seconds since 1974–01–01 00:00:00 UTC (or what would have been
+seconds since 1970–01–01 00:00:00 UTC (or what would have been
that if UTC had existed back then in its current form).
-<dt>Nonce
-<dd>This is just a random string. When you change a password, the server
-checks that the request includes a copy of this nonce, as a protection
-against
-<a href='http://en.wikipedia.org/wiki/Cross-site_request_forgery'><em>cross-site
-request forgery</em></a> attacks.
-
<dt>Tag
-<dd>This is a cryptographic check that the other parts of the token haven't
-been modfied by an attacker.
+<dd>This is a cryptographic check that the other parts of the token
+haven’t been modfied by an attacker.
<dt>User name
<dd>Your user name, in plain text.
</dl>
-<h2>How do I know you're not using this as part of some hideous behavioural
-advertising scheme?</h2>
+<h2>How do I know you’re not using this as part of some hideous
+behavioural advertising scheme?</h2>
-<p>That's tricky. I could tell you that this program is
-<a href='http://www.gnu.org/philosophy/free-sw.html'>free software</a>, and
-that you can <a href='chpwd'>download its source code</a> and check for
-yourself.
+<p>That’s tricky. I could tell you that this program is
+<a href="http://www.gnu.org/philosophy/free-sw.html">free software</a>, and
+that you can
+<a href="~={script}H/~={package}H-~={version}H.tar.gz">download its
+source code</a> and check for yourself.
-<p>That's true, except that it shouldn't do much to convince you that this
-server is actually running the code it claims to be. And anyway, Chopwood
-itself represents only one of many bits of software which could be keeping
-track of you somehow through this cookie.
+<p>That’s true, except that it shouldn’t do much to convince
+you that this server is actually running the code it claims to be. And
+anyway, Chopwood itself represents only one of many bits of software
+which could be keeping track of you somehow through this cookie.
<p>So, really, it comes down to trust. Sorry.
~mdw / chopwood / blobdiff