[Opensource] passwd in cookie
Tino W. Dai
tdai at jcorporate.com
Fri Oct 11 11:07:40 PDT 2002
Hi Mike,
Actually, I was thinking about this in how the encrypted cookie could
be taken and still not be able to be used. Could we not encrypt the ip
address and the mac address into the cookie? That would solve some of
the problems. Also, a more exotic encryption scheme would be the
different gateways and routers that the packet passes through from the
server to client as part of the encrypted cookie. What does the
community think?
-Tino
On Thu, 2002-10-10 at 16:10, Michael Rimov wrote:
> At 11:21 AM 10/10/2002 -0700, you wrote:
> >that's fine with me; I'm just curious if this feature exists "in the wild"
> >already.
>
> Yeah... however, if you pick a decent cryptoKey for the serverside, the
> cookie will be encrypted properly with AES, and that will go a long way to
> preventing it getting stolen.
>
> What I'd REALLY like to come up with a scheme that prevents cookie
> replay. Right now, if somebody steals a cookie, although they can't get
> the password easily, they CAN replay it to the server and thus get the
> permissions of the person who's cookie they stole.
>
> But I can't find a decent way to prevent this. I was originally thinking
> of a time stamp that is stamped with the last login, but if the user
> switches between two different browsers/machines, it means that automatic
> login won't work at all for them because the timestamps would seem to be
> jumping back and forth.
>
> Anyway, just food for thought. :)
> -Mike
>
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/
--
Tino Dai
Technical Project Manager
tdai at jcorporate.com
http://www.jcorporate.com
Open standards based on Java components
More information about the Opensource
mailing list