[3877] in WWW Security List Archive
RE: Germany bans cookies! (and a whole lot more)
daemon@ATHENA.MIT.EDU (Darren Cook)
Sat Dec 21 18:36:57 1996
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Sun, 22 Dec 1996 06:39:45 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>Rather than pass state or ID info from one page
>to the next via hidden variables or cookies a CGI script that implements the
>following algorithm (more or less) will work:
>
>http server accepts contact and starts the CGI script
>CGI script selects a random unused port
>CGI script forks
>in the parent
>send a redirection message to the client, sending it to the new port
>exit
>in the child
>start up some timeout procedure
>listen for the incoming connection
>process the request
As this is on another port, the web server does not know about it does it?
So the cgi script has to be a mini web server (eg. normally the web server
puts some information into environmental variables for your script).
Or am I misunderstanding what you are suggesting?
>wait for more requests
>when we timeout or get some other "done" indication
>exit
>
Even though there is more work involved here, this does sound like a good
way of maintaining state.
However, if it was a secure connection, how do I keep it secure this way -
will my cgi script have to be not just a mini web server, but a mini
*secure* web server?!
Darren
