[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV 2.7 release.

From: Foteos Macrides
Subject: Re: LYNX-DEV 2.7 release.
Date: Wed, 29 Jan 1997 10:05:44 -0500 (EST)

root <address@hidden> wrote:
>Foteos Macrides wrote:
>>      It has a compilation option to set never as the default, which
>> can be overridden in lynx.cfg, and the default can be toggled via a
>> -cookies command line switch.  It doesn't issue statusline messages
>> when it ignores Set-Cookie headers.  They would either whizz by too
>> fast to read, or you'd have to impose sleep()'s to make them persist,
>> which would be just as annoying as the prompts when you don't want
>> to accept any cookies during that session.
>>      If you haven't set or toggled never as the default, then the
>> default is to prompt for each new domain (and any new cookies from it,
>> if you don't set always or never for it).  You cannot set always as
>> the full session default, only never or prompt.
>>                              Fote
>Is there a reson why you cannot set an "always" value, since I cannot think
>of any seceurity issues (assuming the cookie storage has propper permissions
>(600), since the remote server can't pass data to other sites anyway.
>Anyway, I would think you should be able to set any of the three, for

        In the general Lynx case (i.e., without my SSL hooks patch or
Tom's SSL dameon) it's entirely a "privacy", not "security", issue.
That behavior reflects my personal judgment on how a browser such as
Lynx should behave, based on "Section 7. PRIVACY" of:

  Linkname: HTTP State Management Mechanism (cookie)

and the discussions about State Management in the IETF-WG.  It should be
possible to set a browser such that it never accepts cookies by default,
which can be done via the SET_COOKIES compilation (userdefs.h) and
configuration (lynx.cfg) symbols, and via the -cookies toggle if the
SET_COOKIES symbol was left TRUE.  It should never be possible for a
user to accept cookies unintentionally, and if a site administrator could
set a global symbol for making accept the default, some might, and create
that situation.  I thus would never include that in the FM code set, though
it would be a simple patch if others wanted to offer it, and hopefully
also accept responsibility for possible consequences.

        There are a number of secure servers which use cookies
inappropriately in lieu of proper authentication.  They typically
request initial authentication, pass a cookie in the reply, and
then use the cookie, rather than authentication principles, for
decisions on whether to honor subsequent requests.  That creates
a true "security" issue, e.g., if its a Web based banking service.
This is yet another reason why, IMHO, Lynx should never support
the possibility of it's users accepting and sending cookies unaware
that this is happening.


 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]