[3841] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (Robert P Cunningham)
Wed Dec 18 16:02:18 1996
Date: Wed, 18 Dec 96 08:05 WET
From: bob@lava.net (Robert P Cunningham)
To: kaibay@skcc.co.kr, song@skcc.co.kr
Cc: daver@idiom.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> In this way, even though the underlying password wasn't read-able in the
> cookie,
> because all cookie passwords (in this config) are decrypted the same
> way, the
> encypted password simply becomes the password.
True. So you want to include other information in the encrypted
value in addition to just the password and/or user name.
It's a good idea to include the last access date. (Record that on
the server side as well.) Check it on the next login. If the
encrypted last access date in the cookie doesn't agree what's stored
on the server, prompt for username/password before granting access
and updating the cookie.
A stolen copy of the cookie can then only be used up until the next
time the real user logs in.
