Daniel Stenberg wrote:
>But here comes the big "but": your browser won't accept cookies for other
>sites than the one that sends them. That's a security thing.
... and a big "But" it is. And undoubtedly a good one.
Having the best of intentions in mind, I completely overlooked this
issue. Given that the exercise is being executed behind the scenes, but
in a session initiated and, hopefully, carried on in the context of a
specific client's browser, I had hoped that the cookies could be simply
read on their way from the target server to the client browser, thus
enabling me to hand off the "state" of being logged in to the client at
the appropriate moment.
The context of the application is one that
a) asks up front for the user's credentials
b) validates those against my database
c) checks a series of external, access controlled, targets for
user-supplied search criteria
d) and passes back the first screen of results where the search was
[point of failure]
e) hands the session(s) off to the user to explore further
This works just fine in a number of contexts using various search
protocols (and using curl when those aren't on the table,) ... except
when client side cookies are required. And I'd strongly prefer not to
proxy the whole set of sessions through php and curl if I can avoid it.
Received on 2004-03-10