Got Milk? Got Cookies? Got Authentication?

[lydia]

In response to Tom Klingler's announcement,
>> Got Milk?  Got Cookies?  Got Authentication?
>> The LITA Secure Systems & Services Interest Group is presenting an
>> informal managed discussion at ALA Midwinter in Philadelphia on the
>> use of cookies and tokens for authentication.
 
Richard Goerwitz wrote (in part):
> ...I hope you'll also answer the criticism that domain-based
> cookies, like the ones you're using, are positively the worst kind,
> because they cannot easily be intercepted by reverse proxies.
> Cookies (domain or machine-based) can't be intercepted at all by
> URL-rewriting systems used in many institutions, such as the UVa and
> Harvard.

Actually, rewriting cookies in a URL-rewriting system _is_ possible if
you're willing to mess with the HTTP headers as well as just the HTML
source. The current Harvard proxy system does have this functionality,
and it handles cookies just fine. We simply rewrite cookies along with
rewriting URLs. 

I grant that there are a number of other significant limitations to
the URL-rewriting proxy strategy. (Among the most notable of these, I
would say, would be the impossibility of handling any java- or
javascript-generated URLs and the not inconsiderable time-sink of
accommodating irregular usages of HTTP.) Still, for the record,
handling cookies is not automatically one of these limitations. 

Now, trying to script a connection to a login-restricted system that
requires cookies... _that_ is a problem. (And if the site also has a
cap on the number of simultaneous users permitted from the account in
question, I don't believe there's any way around this one.)

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
 Lydia Ievins, Systems Librarian          Office for Information Systems
 phone 617/495-3724; fax 617/495-0491     Harvard University Library
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~