Gregory Maxwell wrote:
On this subject... Wrapping the login site via SSL sounds like a dandy idea, and it sidesteps the whole mess of cert issues if with SUL we were to use a single login portal domain.
However, then we've just pushed the problem back to session cookie theft. Sure, it would still be an improvement since a passive attacker (at say Wikimania...) couldn't sit back and gather passwords, but better still might be possible.
A session cookie will expire. A password probably not, would allow to change password, etc.
What the current industry best-practices with respect to binding session data to a client's IP? Do web browsers switch IPs too often for this to be acceptable (AOL?)?
It could be less acceptable to normal users if each time they switch on their computer had to type their password :S
Ideally, that sesion cookie would be a shared secret stored by the browser, used to compute the (edit) tokens. AFAIK this is unfeasible as today, unless you force a custom browser.
Another approach could be changing the session cookie too fast (e.g. each 3-4 requests), so a cookie theaft couldn't reuse an old cookie.