The Pubcookie Web Login

WPI has implemented pubcookie from www.pubcookie.org. Pubcookie issues your browser a cookie which your browser offers to the WPI web server to identify you to the server.

This mechanism has two advantages:

The login page for all applications which require you to identify yourself is a pubcookie login page. It will look the same and will have the same URL, so you don't have to worry about whether it is secure to offer your CCC login ID and password to various different pages.
The cookie stays in your browser for a time so that you do not have to keep giving your login and password. Your identity will be remembered.

This last feature is a double-edged sword. If anyone else steps up to your browser and uses it within the life of this authenticating cookie, they can assume your identity automatically. There are many things that can be done with your identity across the web, including actions which affect your academic career and finances.

As a result, once you have authenticated, be sure never to leave your screen unattended. Lock the screen, with a good password that only you know, if you get up from the pc. Alternatively, you can exit the browser once you have used the service for which you authenticated, but this will, of course, prevent your automatic re-use of the cookie. You will have to authenticate again if you need a secured service.

You will notice that the cookie has a 15 minute time-to-live (TTL) by default. When we discussed implementing this feature, people liked its convenience, but there was a worry about mis-use of the cookie by others than the original person who obtained it. A compromise is to keep the TTL short. If you understand the dangers, and take responsibility to lock your pc or exit the browser when leaving the pc, only then should you select a longer TTL to enjoy the convenience of not authenticating again in the browser session.

How to logout.

Possible problems using web cookies.
Last modified: Friday, 25-Jul-2003 17:17:08 UTC
root@wpi.edu