[rescue] Punch the Monkey (was: SS2 memory?)

Greg A. Woods woods at weird.com
Fri Mar 8 15:27:45 CST 2002 

[ On Friday, March 8, 2002 at 15:00:54 (-0500), Joshua D Boyd wrote: ]
> Subject: Re: [rescue] Punch the Monkey (was: SS2 memory?)
>
> Javascript is handy, but it shouldn't be required.

J$ is evil -- never "handy" -- it's the hand of some real devil (not
that poofy incarnation in Redmond :-)

HTML is never supposed to be executed!  The person who thought of
including code embedded in HTML should be shot.  Even delivering applets
with HTTP is a questionable idea.  Any kind of code migration outside of
a security domain is a very bad idea, even if it's written in a
so-called "safe" language (which java really isn't).

>  For ASP style sites
> (ASP == Application Service Provider, ASP != MS Crap), cookies seem like
> a good idea.

HTTP Cookies are "necessary" in so few situations that they really
should be re-designed properly.  They MUST NOT EVER be stored on disk,
for one.  That's where the evil of J$ and cookies gets right out of hand
(because one good use for temporary cookies is to hold authentication
tickets).

>  Personally, for
> application style sites, a session cookie is just a plain sensible way to do
> things.

Nope.  Session cookies are evil incarnate too.  That's what URL
parameters are for!

However the mere concept of introducing "sessions" to HTTP accesses is
totally brain dead.  Applications can be easily designed not to require
"sessions" per se, usually just by following proper client/server
protocol design guidelines.  Only problem is we need to resurrect a
whole bunch of mainframe programmers to teach all the web weanies how to
do it right (and even then we'd need to teach the mainframers how the
web works first -- I've seen some attrocious implementations of web
front-ends to mainframe applications too).

>  In general, I'm happy to allow session cookies for most sites.  I
> dislike permenant cookies for the most part, except the NY Times site (that 
> they require a login is a pain, but I'm willing to make the trade) and other
> semi-"subscription" news and trade sites.  The three that I allow permenant
> cookies for are the NY Times and Gamasutra sites.  Well, I don't go to far
> out of my way to prevent other sites from setting cookies that I don't want
> them to.  I should just get a proxy setup that does this for me.

Mozilla is beginning to get logins right -- it automatically logs you
in, and you can set it up so it won't start without a password.  Just
set up a profile with your private web passwords and away you go.

> There is one java applet that I want to run (but the sysadmin refuses to
> install it on the web server).  That is the java ssh client applet.  But, the
> CS sysadmin won't install it.  That is something I intend to install on the
> machine I configuring to colo.

Oh, yeah, I've used that one too -- and have it installed, but only with
other people's browsers!  ;-)

You can put it on your personal web page -- it doesn't have to be
installed by a sysadmin.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list