X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/chopwood/blobdiff_plain/8c4d90a32395301a94508c5e1efee600a3b0c0c8..dd650029f6d572194a7d9a035f9e55195b64d64c:/cookies.fhtml diff --git a/cookies.fhtml b/cookies.fhtml index 4b3019f..121b2e4 100644 --- a/cookies.fhtml +++ b/cookies.fhtml @@ -35,9 +35,9 @@ means).
The cookie contains a token which tells the server that you've logged in -properly. We could have chosen to use a hidden form field to carry this -token about, but that causes other trouble. +
The cookie contains a token which tells the server that you’ve +logged in properly. We could have chosen to use a hidden form field to +carry this token about, but that causes other trouble.
For example, if we used GET requests then the token would appear as part of a URL, where it would end up being written in the location bar of @@ -46,58 +46,51 @@ services; this obviously has an adverse effect on security. Also, the token is kind of long and ugly.
We could avoid this problem by using POST requests everywhere, but -that causes other trouble. In particular, you'd get that annoying +that causes other trouble. In particular, you’d get that annoying
The page that you’re looking for used information that you - entered. Returning to hat page might cause any action that you took to be - repeated. + entered. Returning to that page might cause any action that you took + to be repeated.message whenever you hit the reload button. -
If you actually look at the cookie, you find that it looks something like this:
- 1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw + 1357322139.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw-(Did I say something about long and ugly?) It consists of four pieces +(Did I say something about long and ugly?) It consists of three pieces separated by dots ‘.’.
That's tricky. I could tell you that this program is -free software, and +
That’s tricky. I could tell you that this program is +free software, and that you can -">download its +download its source code and check for yourself. -
That's true, except that it shouldn't do much to convince you that this -server is actually running the code it claims to be. And anyway, Chopwood -itself represents only one of many bits of software which could be keeping -track of you somehow through this cookie. +
That’s true, except that it shouldn’t do much to convince +you that this server is actually running the code it claims to be. And +anyway, Chopwood itself represents only one of many bits of software +which could be keeping track of you somehow through this cookie.
So, really, it comes down to trust. Sorry.