Using Cookies to Authorize Access
Although
cookies have become a major
Internet cause célèbre, there
really isn’t much difference between name/password-based and
cookie-based authorization. In both cases, the browser transmits
credentials to the server by way of an HTTP header—it’s
either HTTP_AUTHORIZATION
or
HTTP_COOKIE
. In both cases, security is weak when
credentials travel over an unencrypted connection and much stronger
when the data is encrypted with SSL. In both cases, authentication
can persist so that users need not repeatedly assert their
identities. The chief advantage of the cookie method is also its
worst public-relations problem: cookies persist across browser
sessions. (With basic authentication, credentials persist only during
a session.) A cookie enables a server to recognize a user and
authorize access automatically, without any input from the user. In
order to do that, cookie data has to live on your hard disk.
We’ll review what that data is, how it gets onto your hard
disk, and how it can be used. But first let’s frame this
volatile issue with a few observations:
- Any form of authentication does away with anonymity.
Large areas of the Internet are open to anonymous use and will likely remain so. Groupware, though, is about relationships, and relationships are based on identity. If you choose to participate in a groupware application—on a public Internet site that serves 300,000 magazine subscribers or on an intranet server that hosts a team of a dozen collaborators—you ...
Get Practical Internet Groupware now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.