[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules

Brandon Allbery allbery.b at gmail.com
Thu Feb 28 01:26:57 CET 2013


On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont
<corentin.dupont at gmail.com>wrote:

> Hi Chris,
> Thanks!
> That's true for the user number. What should I do? Encrypt it?


It's not that you have a user number, or even that it's accessible: it's
that it's the entirety of access control, meaning that if the user changes
it they can masquerade as another user. The correct solution is that a user
should authenticate, which creates a session hash that you stash away and
also send back to the user as a cookie so the browser will present it on
accesses. Then you check that the presented hash is there and matches the
session hash. These should expire periodically, requiring the user to log
back in again.

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130227/64a6b239/attachment.htm>


More information about the Haskell-Cafe mailing list