Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103886
interpreted = N
texte = Terry Wilson wrote: > I have a system where someone logs in with a user and pass, and webdna > checks a user database. If they are a member, they get a cookie named > status with a value of current. Three ways to tighten up session cookie based logon security: 1) Encrypt the cookie's value (remember the double [URL] context required when encrypting cookies) 2) Include a date based dynamic value in the cookie and configure the logon checking script to only accept cookies set today and yesterday. (Why yesterday? because somebody might stay logged on through midnight.) 3) Include a unique id in each cookie (e.g. a random number or a cart number). Then create a database that keeps track on which ip address each client has. (The ip database has to be updated each time a client logs on in case he/she uses roaming access or multiple connections). Combine all these three and you should be fairly safe from session sidejacking. Frank Nordberg http://www.musicaviva.com Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
Terry Wilson wrote: > I have a system where someone logs in with a user and pass, and webdna > checks a user database. If they are a member, they get a cookie named > status with a value of current. Three ways to tighten up session cookie based logon security: 1) Encrypt the cookie's value (remember the double [url] context required when encrypting cookies) 2) Include a date based dynamic value in the cookie and configure the logon checking script to only accept cookies set today and yesterday. (Why yesterday? because somebody might stay logged on through midnight.) 3) Include a unique id in each cookie (e.g. a random number or a cart number). Then create a database that keeps track on which ip address each client has. (The ip database has to be updated each time a client logs on in case he/she uses roaming access or multiple connections). Combine all these three and you should be fairly safe from session sidejacking. Frank Nordberg http://www.musicaviva.com Frank Nordberg

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Adding new customer numbers sequentially (1997) WebCat 4.0 (2000) UPDATE PROBLEM (1997) Rollovers (1999) [shownext] (1998) [WebDNA] Triggers Failing (2008) RE: format problem on NT? (1997) Documentation Feedback (1997) Trigger Admin acting up (2001) Opinion: [input] should be called [output] ... (1997) Problems with ^ could be solved with [REPLACE CHARACTERS] (1997) [replaceChars] would be nice ... (1997) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) WebMerchant 2.1.2 (1998) Sorting (1998) Displaying search results in a new frameset (1997) WebCat2 Append problem (B14Macacgi) (1997) Playin Tricks (2006) Browser Problem?!? Still getting Error message usingPOST! (1997) Emailer choke (1997)