[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secure Cookies (was: Re: lynx-dev 2.8.3rel SSL problems -traces inlcuded

From: Michael Warner
Subject: Secure Cookies (was: Re: lynx-dev 2.8.3rel SSL problems -traces inlcuded)
Date: Sun, 2 Dec 2001 18:40:02 -0800
User-agent: Mutt/1.2.5i

On or about 01 Dec, 2001, Mike Castle
<address@hidden> wrote:

> On Sat, Dec 01, 2001 at 12:58:44PM -0800, Michael Warner wrote:
> > "FORCE_SSL_COOKIES_SECURE:TRUE" keeps me from logging in via the
> > https:// route.  When you get routed from the https:// login to the
> > http:// mail page, it doesn't know what to do with the secure
> > cookie.  I'm guessing, anyway.  I'd always just left it set TRUE
> Hmmm.  Maybe lynx should notify the user with something like "I have a
> cookie I might use, but it's for https (or vice-versa)."  Or something like
> that?  Maybe it does and I've just never triggered it.

I don't know enough (read: I know nothing) about standard
practice in the use of secure cookies, or about secure cookies
themselves, for that matter, to venture an opinion.

What is a secure cookie?  Handshaking plus encryption?

Is redirecting from a secure https://login.server to an unsecure
http://content.server a Bad Thing?  If not, can anybody point me
to an RFC-like object that codifies the SHOULDs, MAYs and MUSTs
of the transaction?  If not, is there a list concensus on
real-world conditions in this area?

The only two https:// sites I've noticed have tried to ship me
off to an http:// server, and failed with a secure cookie.  I'm
pretty sure I've used a few other https sites (though not many),
and didn't have a problem.  I'm guessing now that they kept the
whole session https, and cookies weren't an issue.

Absent knowledge, I guess I'd leave the status quo (secure
cookies off by default, right?) alone, maybe adding a warning to
the lynx.cfg comment about the possible pit-falls of enabling it.

I'd probably shy away from the prompt idea on the basis of
anti-feeping-creaturism, and a personal antipathy toward the
nagging little buggers, but if there's enough real-world
variability in site behavior to make it useful, I might be

The most important thing is what, if anything, the standard says.
I'm used to being smug about Lynx doing the Right Thing, and
don't want to give that up.  Even caving in to serial-<BR>-ers
and incompetent commenters rankles :)

So, anybody willing to offer a learned discourse &/or an RFC

Michael Warner       | Procrastinate now.
<address@hidden> |

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]