[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV 2.7 release.
From: |
Foteos Macrides |
Subject: |
Re: LYNX-DEV 2.7 release. |
Date: |
Wed, 29 Jan 1997 10:05:44 -0500 (EST) |
root <address@hidden> wrote:
>Foteos Macrides wrote:
>>
>> It has a compilation option to set never as the default, which
>> can be overridden in lynx.cfg, and the default can be toggled via a
>> -cookies command line switch. It doesn't issue statusline messages
>> when it ignores Set-Cookie headers. They would either whizz by too
>> fast to read, or you'd have to impose sleep()'s to make them persist,
>> which would be just as annoying as the prompts when you don't want
>> to accept any cookies during that session.
>>
>> If you haven't set or toggled never as the default, then the
>> default is to prompt for each new domain (and any new cookies from it,
>> if you don't set always or never for it). You cannot set always as
>> the full session default, only never or prompt.
>>
>> Fote
>
>Is there a reson why you cannot set an "always" value, since I cannot think
>of any seceurity issues (assuming the cookie storage has propper permissions
>(600), since the remote server can't pass data to other sites anyway.
>Anyway, I would think you should be able to set any of the three, for
>completeness.
In the general Lynx case (i.e., without my SSL hooks patch or
Tom's SSL dameon) it's entirely a "privacy", not "security", issue.
That behavior reflects my personal judgment on how a browser such as
Lynx should behave, based on "Section 7. PRIVACY" of:
Linkname: HTTP State Management Mechanism (cookie)
URL:http://www.ics.uci.edu/pub/ietf/http/draft-ietf-http-state-mgmt-05.txt
and the discussions about State Management in the IETF-WG. It should be
possible to set a browser such that it never accepts cookies by default,
which can be done via the SET_COOKIES compilation (userdefs.h) and
configuration (lynx.cfg) symbols, and via the -cookies toggle if the
SET_COOKIES symbol was left TRUE. It should never be possible for a
user to accept cookies unintentionally, and if a site administrator could
set a global symbol for making accept the default, some might, and create
that situation. I thus would never include that in the FM code set, though
it would be a simple patch if others wanted to offer it, and hopefully
also accept responsibility for possible consequences.
There are a number of secure servers which use cookies
inappropriately in lieu of proper authentication. They typically
request initial authentication, pass a cookie in the reply, and
then use the cookie, rather than authentication principles, for
decisions on whether to honor subsequent requests. That creates
a true "security" issue, e.g., if its a Web based banking service.
This is yet another reason why, IMHO, Lynx should never support
the possibility of it's users accepting and sending cookies unaware
that this is happening.
Fote
=========================================================================
Foteos Macrides Worcester Foundation for Biomedical Research
address@hidden 222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- Re: LYNX-DEV Cannot load start page nit, (continued)
- Re: LYNX-DEV 2.7 release., Scott McGee (Personal), 1997/01/28
- Re: LYNX-DEV 2.7 release., Nelson Henry Eric, 1997/01/28
- Re: LYNX-DEV 2.7 release., Foteos Macrides, 1997/01/28
- Re: LYNX-DEV 2.7 release.,
Foteos Macrides <=
- Re: LYNX-DEV 2.7 release., David Combs, 1997/01/29
- Re: LYNX-DEV 2.7 release., David Combs, 1997/01/29
- Re: LYNX-DEV 2.7 release., Foteos Macrides, 1997/01/29
- Re: LYNX-DEV 2.7 release., Nelson Henry Eric, 1997/01/30
- Re: LYNX-DEV 2.7 release., David Combs, 1997/01/30
- Re: LYNX-DEV 2.7 release., Scott McGee (Personal), 1997/01/30