Off Topic

RC Steve Sterling rcsteve at tcrcm.org
Tue Dec 21 19:04:13 AKST 2004 

Hi-- without disclosing too much of the site's security that would give a
hacker an edge to break in--

On login when you travel into the member's only section (retrieve latest
K-Factor, membership management etc), a non-persistent cookie is set as a
token so you don't have to login to each separate page you may browse.

Other non-persistent cookies are used to pass values from one page to
another in the membership administration sections (mainly Maureen's domain).

Note they are non-persistent cookies.  They are never written to the user's
hard-disk, unlike "normal" cookies. They only exist as a volitile variable
in that browser session. Closing the browser distroys them. You will also
see a "logout" on some of those members pages, and those distroy the cookies
without closing the browser.

Why did I use non-persistent cookies? Other methods of passing this token
are much easier to hack.

You can test this yourself. Login to www.nsrca.org/members. You will see a
menu with at least "download kfactor", "Update Password" and "Logout". Click
on "download Kfactor" and/or "Update Password". You get there without
hassle. Hit the browser back button. You get back to the menu
(www.nsrca.org/members/default.asp), again without hassle. Close the browser
window, open up another and go back to the menu at
www.nsrca.org/members/default.asp. It makes you login again because that
cookie was destroyed.

I only speak for the section I am responsible for (www.nsrca.org/members).
Other people take care of other areas. They may be using cookies (normal or
non-persistent) for other purposes.

Steve Sterling


-----Original Message-----
From: discussion-request at nsrca.org
[mailto:discussion-request at nsrca.org]On Behalf Of Bill Glaze
Sent: Tuesday, December 21, 2004 7:04 AM
To: Discussion
Subject: Off Topic


I'm asking some of the computer gurus on this list:
Why can't I access the NSRCA web site when I have cookies disabled?  I
realize that the commercial sites want to insert cookies into my system
to "further serve me" (ahem) better.  But, inasmuch as I am already
sold<G> on the NSRCA, it seems peculiar to me that they want to install
cookies.  Any help out there for my curiosity?  TIA
btw: I remove all cookies at the end of the particular session..

Bill Glaze
AMA 2221
NSRCA 2388

=================================================
To access the email archives for this list, go to
http://lists.f3a.us/pipermail/nsrca-discussion/
To be removed from this list, go to http://www.nsrca.org/discussionA.htm
and follow the instructions.

=================================================
To access the email archives for this list, go to
http://lists.f3a.us/pipermail/nsrca-discussion/
To be removed from this list, go to http://www.nsrca.org/discussionA.htm
and follow the instructions.

More information about the NSRCA-discussion mailing list