I created this thread to point out any sections of the doc that I don't quite follow:
From www/doc/security-sessions.html (explaining the secure cookie token)
* ad_secure_token is another TokenLength-character random string which is only
ever transmitted over SSL (it has Secure specified in the Set-Cookie
header). Even if someone sniffs the session identifier and grabs the
insecure token string, they will never be able to gain access to this secure
token string.
> This cookie is only ever sent to a client once, so there's positively no way
> we could make the mistake of sending it to two users (one masquerading as
> the other). Furthermore, when the secure token is issued (typically on a
> client's first access to the site via HTTPS) we reissue the insecure token
> as well. This way, if Gus sniffs Mary's insecure token and proceeds to make
> a secure access to the site (receiving her secure token), Mary's insecure
> session will stop working, limiting Gus's ability to mess with her.
The way it is explained, I don't understand how Gus's holding of Mary's insecure
session expiring limits his ability. Especially since a new insecure cookie is
provided with the secure cookie (to Gus), giving him full access. I'm sure by reading
the code, the rubbery english will straighten itself out--but it's still a minor
jolt. Could someone expand the Gus and Mary example perhaps with snippets of code
and telnet's showing what happens? Thanks! :)