[Opensource] passwd in cookie
Michael Rimov
rimovm at centercomp.com
Sun Oct 13 02:53:22 PDT 2002
<snip> <snip>
> >
> > Well, backtracing the cookie would take significant time, so the login and
> > logout process could slow to a crawl. Unless you see a way to do it
> that I
> > don't? But either way, I guess the same problems apply here as apply
> to ip
> > addresses.
>I don't agree Mike. If a laptop redials or loses his/her connection
>somehow, the chances are that the physical path to Expresso will not
>change. Usually, the hardware is still the same regardless of the ip
>address.
But this is defeating the point of having a login cookie in the first
place. The point of it is to allow instant login over a significant period
of time. (ex: 90 days). If the user is a notebook user, they will
DEFINITELY be switching locations time and time again. So having the
functionality of a login cookie becomes a moot point.
[To David H. now]
RE: counter.
I thought of that, but my problem is that I, for example, switch between
browsers quite often, and thus the system would squeel, and cry 'replay
attack', when all I did was switch my browser or switch my machine. I DO
think it's significantly simpler CPU-wise. Thinking about it, I guess if I
switch browsers, I would create a 'gap' in the numbering sequence, and I
could record that 'gap' on the server's database. If a cookie presents
itself with that gap record, then we update it with the latest sequence,
and remove the 'gap' entry from the internal records. Could be a source of
error, but what do you guys think?
-Mike
More information about the Opensource
mailing list