On Sun, Sep 17, 2006 at 08:46:40PM -0600, Chris Kuethe wrote:
> On 9/17/06, Lars Hansson <[EMAIL PROTECTED]> wrote:
> >On Saturday 16 September 2006 03:33, Bryan Irvine wrote:
> >> Just make a table and write up some script that add to the table.
> >>
> >> Something like nocat would probably what you are looking for. Maybe
> >> nocat would work? I've never used it so I don't know.
> >
> >(This apply to all HTTP fw/authpf solutions...)
> >How do you know when a user has "logged out"?
>
> A nasty ugly hack that I've seen in production is that you have to
> make an https request to the gateway every so often (usually once a
> minute). I can think of lots of ways to subvert such a system.
Hmm, I am curious - what sort of things? Provided, at least, there's
some sort of authorization - like each request must pass some function
(a hash, probably) of some parameter returned by the last. This isn't
even all that difficult - return a redirect to
/authorized.cgi?code=as23cd&next=asjgsd, or similar.
Of course, XSS and the like can still run your day.
Joachim
