[dokuwiki] Re: cookies

• From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Sun, 7 Oct 2007 22:43:32 +0200

On Wed, 26 Sep 2007 09:22:38 -0400
Jason Keltz <jas@xxxxxxxxxxxx> wrote:

> All this discussion about cookies is making me hungry! :)
> 
> However, I too have a question re: cookies with respect to DokuWiki.
> 
> Presently, I use https for my DokuWiki sites in order to protect 
> usernames and passwords, many of which would be sent in the clear
> over untrusted (wireless) networks.  However, I believe that https is
> slowing down the site.  I've seen cases where sites (including say,
> orkut.com) do https login, and then redirect to http.  My question is
> -- can I do something like this in DokuWiki?

Maybe. There is a bug report suggesting otherwise:
http://bugs.splitbrain.org/index.php?do=details&task_id=1174

> More importantly, how
> could I prevent a session from being hijacked given that a hacker
> could snoop the cookie, and steal the session of a logged in user
> without the use of their username/password? (It seems like this is
> just a general web problem, for which, there may very well be no
> solution...)

DokuWiki cookies are encrypted and bound to a "unique" id created from
parts of the IP and certain browser headers. This should make hijacking
sessions more difficult.

Andi
-- 
http://www.splitbrain.org

• » [dokuwiki] cookies
• » [dokuwiki] Re: cookies

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription