durusmail: quixote-users: a small patch
a small patch
2002-10-08
2002-10-08
2002-10-09
2002-10-09
2002-10-09
2002-10-09
2002-10-10
2002-10-10
2002-10-10
a small patch
Jonathan Corbet
2002-10-10
> Yep -- I don't think the consequences of stealing an lwn.net session
> cookie would be disastrous.  (Jon?)  That's not the case for all sites.

It would let somebody access another's subscription or, worse, post
comments in somebody else's name.  That's about the worst of it.  For me,
that's bad enough, and I really wanted to take the obvious step to keep it
from happening.

The problem is that the readers see an LWN login as a low-security thing,
and they have made it pretty clear that they would rather it persisted
across an IP address change.  Given the level of potential consequences, I
decided it was better to opt for convenience in this case.  If I were doing
an online banking application, I would have chosen differently.

jon

Jonathan Corbet
Executive editor, LWN.net
corbet@lwn.net


reply