Ticket #128 (closed issue: fixed)
[s] Consider modifying the NDG security cookie
| Reported by: | lawrence | Owned by: | pjkersha |
|---|---|---|---|
| Priority: | desirable | Milestone: | BETA+Security |
| Component: | security | Version: | |
| Keywords: | Cc: | astephen, lawrence |
Description
Currently the NDG security cookie seems to be set as two cookies, and it might be tidier (and easier in other code to consider moving to one cookie with the two values part of that), ie, a cookie of the form 'ndgSecurity' rather than 'NDG-ID1' and 'NDG-ID2'
Change History
comment:2 Changed 13 years ago by pjkersha
- Status changed from new to closed
- Resolution set to fixed
The new session cookie class ndg.security.common.SessionCookie?.SessionCookie? combines the cookies into one. This contains the user sessID, user DN and session manager URI concatenated and encrypted using the web servers public key. The web server can now 'see' which session manager to call so there is no need to have the concept of a local session manager proxying for a remote one and forwarding requests.
Pylons has a facility for encrypting cookies so we may be able to use this instead.
