Re: password cookie

[John Summerfield <su...@OS2.ami.com.au>]

> To anyone who saved users password in a cookie. Did you encrypt or encode the
>  
> password before making the cookie?  Did you use BASE64 or some stronger 
> encryption(DES,etc). Tell me about your experiences. Thanks.
> 

Don't forget to allow for those who disallow cookies.

Don't save a cookie that looks like a password (ie password=mmmmmm)

Do use just one cookie if you must use any. By all means, have it made up of 
fixed-length fields - a password which is the 40th through 60th character of a 
hundred-character hexedecimal (or, even better, pentadecimal!!) string will 
probably escape notice as being anything important.

Re: password cookie

[David Koblas <ko...@excitecorp.com>]

The below is good but you might also consider,

    * Authenticate the user against a directory
    * Issue a time based token to the user, containing:
        - username
        - timestamp
        - checksum (MD5 is nice)
        [key thing to note, is that if you only use the above information
         anybody could fake your token, so you should add a unique
         local key to the checksum (aka random number)]
    * Now, for every request you can quickly veryify (using just an
checksum)
      if the token is valid, without having to lookup information from a
directory

--koblas

> Don't bother trying to do your own encoding on a password...
>
> Research the MD5 one-way hash.  When the user gives you a password,
> compute an MD5
> from it and store that as a cookie.  When the user gives you the
> password and the
> cookie again, re-compute the hash and compare.  Since the hash is
> one-way, someone
> cannot figure out the original password if they happen to get their
> hands on the
> cookie file.
>
> You can then also store their MD5 string on your server, and not have to
> worry
> about getting 'hacked' and giving up a whole bunch of your user's
> passwords.
>
> -David Bock
>
> John Summerfield wrote:
>
> > > To anyone who saved users password in a cookie. Did you encrypt or
encode the
> > >
> > > password before making the cookie?  Did you use BASE64 or some
stronger
> > > encryption(DES,etc). Tell me about your experiences. Thanks.
> > >
> >
> > Don't forget to allow for those who disallow cookies.
> >
> > Don't save a cookie that looks like a password (ie password=mmmmmm)
> >
> > Do use just one cookie if you must use any. By all means, have it made
up of
> > fixed-length fields - a password which is the 40th through 60th
character of a
> > hundred-character hexedecimal (or, even better, pentadecimal!!) string
will
> > probably escape notice as being anything important.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: general-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>

Re: password cookie

[David Bock <db...@fgm.com>]

Don't bother trying to do your own encoding on a password...

Research the MD5 one-way hash.  When the user gives you a password,
compute an MD5
from it and store that as a cookie.  When the user gives you the
password and the
cookie again, re-compute the hash and compare.  Since the hash is
one-way, someone
cannot figure out the original password if they happen to get their
hands on the
cookie file.

You can then also store their MD5 string on your server, and not have to
worry
about getting 'hacked' and giving up a whole bunch of your user's
passwords. 

-David Bock

John Summerfield wrote:

> > To anyone who saved users password in a cookie. Did you encrypt or encode the
> >
> > password before making the cookie?  Did you use BASE64 or some stronger
> > encryption(DES,etc). Tell me about your experiences. Thanks.
> >
>
> Don't forget to allow for those who disallow cookies.
>
> Don't save a cookie that looks like a password (ie password=mmmmmm)
>
> Do use just one cookie if you must use any. By all means, have it made up of
> fixed-length fields - a password which is the 40th through 60th character of a
> hundred-character hexedecimal (or, even better, pentadecimal!!) string will
> probably escape notice as being anything important.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org