[Opensource] passwd in cookie
Michael Rimov
rimovm at centercomp.com
Fri Oct 11 13:46:30 PDT 2002
At 02:07 PM 10/11/2002 -0400, you wrote:
>Hi Mike,
>
> Actually, I was thinking about this in how the encrypted cookie could
>be taken and still not be able to be used. Could we not encrypt the ip
>address
> and the mac address into the cookie?
Hi Tino,
The problem with encrypting the ip address is that each time a laptop user
moves around, or a dialup user redials, they're likely to have a different
ip. MAC address would be much more useful, but I'm unaware at how to get
it from the Java APIs???
>the problems. Also, a more exotic encryption scheme would be the
>different gateways and routers that the packet passes through from the
>server to client as part of the encrypted cookie. What does the
>community think?
Well, backtracing the cookie would take significant time, so the login and
logout process could slow to a crawl. Unless you see a way to do it that I
don't? But either way, I guess the same problems apply here as apply to ip
addresses.
I'm glad to have thoughts on the replay problem.
We could also potentially encode a validitity period of, say, one week
rather than 90 days. This could at least narrow the window of replay
usage. I believe time stamping is how Kerberos takes on replay. [Except
their's is probably about 30 minutes or so... and 30 minutes for a cookie
wouldn't work too well]
-Mike
More information about the Opensource
mailing list