[vmchecker-dev] web services specification revised
Claudiu-Dan Gheorghe
claudiugh at gmail.com
Fri Mar 12 00:56:55 EET 2010
>
> Ok. But why don't you just check the cookie?
Just checking the cookie is frustrating insecure.
> Worst case scenario: the cookie is set, but corrupt, you try to display the content > page but receive a 404 from my services, then you'll redirect to login page. (I
> guess this might also happen when you request smth just as the cookie expires - > you'll receive a 404 and you'll have to redirect).
I think you're right on this point. I forgot that every data retrieval
service will basically do in the first step what checkAuthentication
does.
Well, I guess in this case we can drop the makeAuthentication service.
Let's also make a format for an authentication error and not rely on
HTTP 404, by adding a new section to the web services wiki.
>
> ps. I see that cs.curs always displays the login page, saying that I'm not logged > in :D. (only if I request another page - being logged in-, like
> http://cs09.curs.pub.ro/my/ I can do a logout). Great.
I think this is because the cookie is associated only with a certain
domain name. If the application creates a cookie with the session id
in the cs09.curs.pub.ro domain, the cookie won't be sent while
requesting the cs.curs.pub.ro page.
Anyway, moodle is one of the worst web applications that I've used.
--
Claudiu
More information about the vmchecker-dev
mailing list