rws@EXPO.LCS.MIT.EDU (Bob Scheifler) (08/16/90)
Now, if the idea it that the cookies should *always* be dynamic, it's already
suffering, because there's no decent way to reload cookies during a session
with xrdb or the like just now...
It was definitely expected that cookie be dynamic (regenerated at each session,
as is done by xdm). They certainly aren't secure enough for long-lived use.
By "reloading" I assume you mean some way to add new ones and revoke old ones.
This isn't a defect with MIT-MAGIC-COOKIE-1, it's simply a deficiency in not
having an authorization control extension, which would permit adding and
revoking authorizations in general. Yes, we realize such an extension is
likely necessary, but it probably needs to be thought out in the general
context of security, and we didn't feel like cobbling together a hack for R4.