O'Reilly logo

Practical Internet Groupware by Jon Udell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using Cookies to Authorize Access

Although cookies have become a major Internet cause célèbre, there really isn’t much difference between name/password-based and cookie-based authorization. In both cases, the browser transmits credentials to the server by way of an HTTP header—it’s either HTTP_AUTHORIZATION or HTTP_COOKIE. In both cases, security is weak when credentials travel over an unencrypted connection and much stronger when the data is encrypted with SSL. In both cases, authentication can persist so that users need not repeatedly assert their identities. The chief advantage of the cookie method is also its worst public-relations problem: cookies persist across browser sessions. (With basic authentication, credentials persist only during a session.) A cookie enables a server to recognize a user and authorize access automatically, without any input from the user. In order to do that, cookie data has to live on your hard disk. We’ll review what that data is, how it gets onto your hard disk, and how it can be used. But first let’s frame this volatile issue with a few observations:

Any form of authentication does away with anonymity.

Large areas of the Internet are open to anonymous use and will likely remain so. Groupware, though, is about relationships, and relationships are based on identity. If you choose to participate in a groupware application—on a public Internet site that serves 300,000 magazine subscribers or on an intranet server that hosts a team of a dozen collaborators—you ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required