X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/chopwood/blobdiff_plain/8c4d90a32395301a94508c5e1efee600a3b0c0c8..dd650029f6d572194a7d9a035f9e55195b64d64c:/cookies.fhtml diff --git a/cookies.fhtml b/cookies.fhtml index 4b3019f..121b2e4 100644 --- a/cookies.fhtml +++ b/cookies.fhtml @@ -35,9 +35,9 @@ means).

What do you need this cookie for?

-

The cookie contains a token which tells the server that you've logged in -properly. We could have chosen to use a hidden form field to carry this -token about, but that causes other trouble. +

The cookie contains a token which tells the server that you’ve +logged in properly. We could have chosen to use a hidden form field to +carry this token about, but that causes other trouble.

For example, if we used GET requests then the token would appear as part of a URL, where it would end up being written in the location bar of @@ -46,58 +46,51 @@ services; this obviously has an adverse effect on security. Also, the token is kind of long and ugly.

We could avoid this problem by using POST requests everywhere, but -that causes other trouble. In particular, you'd get that annoying +that causes other trouble. In particular, you’d get that annoying

The page that you’re looking for used information that you - entered. Returning to hat page might cause any action that you took to be - repeated. + entered. Returning to that page might cause any action that you took + to be repeated.
message whenever you hit the reload button. -

What's in this cookie?

+

What’s in this cookie?

If you actually look at the cookie, you find that it looks something like this:

- 1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw + 1357322139.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw
-(Did I say something about long and ugly?) It consists of four pieces +(Did I say something about long and ugly?) It consists of three pieces separated by dots ‘.’.
Datestamp
The time at which the cookie was issued, as a simple count of (non-leap) -seconds since 1974–01–01 00:00:00 UTC (or what would have been +seconds since 1970–01–01 00:00:00 UTC (or what would have been that if UTC had existed back then in its current form). -
Nonce -
This is just a random string. When you change a password, the server -checks that the request includes a copy of this nonce, as a protection -against -cross-site -request forgery attacks. -
Tag -
This is a cryptographic check that the other parts of the token haven't -been modfied by an attacker. +
This is a cryptographic check that the other parts of the token +haven’t been modfied by an attacker.
User name
Your user name, in plain text.
-

How do I know you're not using this as part of some hideous behavioural -advertising scheme?

+

How do I know you’re not using this as part of some hideous +behavioural advertising scheme?

-

That's tricky. I could tell you that this program is -free software, and +

That’s tricky. I could tell you that this program is +free software, and that you can -">download its +download its source code and check for yourself. -

That's true, except that it shouldn't do much to convince you that this -server is actually running the code it claims to be. And anyway, Chopwood -itself represents only one of many bits of software which could be keeping -track of you somehow through this cookie. +

That’s true, except that it shouldn’t do much to convince +you that this server is actually running the code it claims to be. And +anyway, Chopwood itself represents only one of many bits of software +which could be keeping track of you somehow through this cookie.

So, really, it comes down to trust. Sorry.