[Opensource] passwd in cookie
Tino Dai
tdai at optonline.net
Fri Oct 11 18:21:43 PDT 2002
BTW, anybody have a Apple that we can find out how to get the MAC
address from (for both System 9 and OS 10). Thanks!
-Tino
On Fri, 2002-10-11 at 16:46, Michael Rimov wrote:
> At 02:07 PM 10/11/2002 -0400, you wrote:
> >Hi Mike,
> >
> > Actually, I was thinking about this in how the encrypted cookie could
> >be taken and still not be able to be used. Could we not encrypt the ip
> >address
> > and the mac address into the cookie?
>
> Hi Tino,
>
> The problem with encrypting the ip address is that each time a laptop user
> moves around, or a dialup user redials, they're likely to have a different
> ip. MAC address would be much more useful, but I'm unaware at how to get
> it from the Java APIs???
>
>
>
> >the problems. Also, a more exotic encryption scheme would be the
> >different gateways and routers that the packet passes through from the
> >server to client as part of the encrypted cookie. What does the
> >community think?
>
> Well, backtracing the cookie would take significant time, so the login and
> logout process could slow to a crawl. Unless you see a way to do it that I
> don't? But either way, I guess the same problems apply here as apply to ip
> addresses.
>
> I'm glad to have thoughts on the replay problem.
>
> We could also potentially encode a validitity period of, say, one week
> rather than 90 days. This could at least narrow the window of replay
> usage. I believe time stamping is how Kerberos takes on replay. [Except
> their's is probably about 30 minutes or so... and 30 minutes for a cookie
> wouldn't work too well]
>
> -Mike
>
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/
More information about the Opensource
mailing list