[Opensource] passwd in cookie
Tino Dai
tdai at optonline.net
Tue Oct 15 09:06:41 PDT 2002
Hi Everybody,
I have been thinking about this login cookie that we have been
tossing around (no pun intended), and I think that the ascending numbers
scheme might work (stress on the might). My idea behind this would be
with every packet that is send, the cookie would get updated with the
next number. And if we could get blocks of continuous numbers, that
would represent a legal user that is logged in. But, that doesn't block
hackers from stealing your cookie. Now, my idea along these lines was to
have a separate cookie for each machine that you are logged in from. And
each of thse cookies would have an ascending counter that is independent
from one another, thereby making the gaps a non-issue. Also, we can look
at a symmetric key, server-timestamped, encrypted cookie. What do you
guys think about that?
-Tino
>
> But this is defeating the point of having a login cookie in the first
> place. The point of it is to allow instant login over a significant period
> of time. (ex: 90 days). If the user is a notebook user, they will
> DEFINITELY be switching locations time and time again. So having the
> functionality of a login cookie becomes a moot point.
>
> [To David H. now]
> RE: counter.
> I thought of that, but my problem is that I, for example, switch between
> browsers quite often, and thus the system would squeel, and cry 'replay
> attack', when all I did was switch my browser or switch my machine. I DO
> think it's significantly simpler CPU-wise. Thinking about it, I guess if I
> switch browsers, I would create a 'gap' in the numbering sequence, and I
> could record that 'gap' on the server's database. If a cookie presents
> itself with that gap record, then we update it with the latest sequence,
> and remove the 'gap' entry from the internal records. Could be a source of
> error, but what do you guys think?
More information about the Opensource
mailing list