[Opensource] passwd in cookie
Michael Rimov
rimovm at centercomp.com
Thu Oct 10 13:10:14 PDT 2002
At 11:21 AM 10/10/2002 -0700, you wrote:
>that's fine with me; I'm just curious if this feature exists "in the wild"
>already.
Yeah... however, if you pick a decent cryptoKey for the serverside, the
cookie will be encrypted properly with AES, and that will go a long way to
preventing it getting stolen.
What I'd REALLY like to come up with a scheme that prevents cookie
replay. Right now, if somebody steals a cookie, although they can't get
the password easily, they CAN replay it to the server and thus get the
permissions of the person who's cookie they stole.
But I can't find a decent way to prevent this. I was originally thinking
of a time stamp that is stamped with the last login, but if the user
switches between two different browsers/machines, it means that automatic
login won't work at all for them because the timestamps would seem to be
jumping back and forth.
Anyway, just food for thought. :)
-Mike
More information about the Opensource
mailing list