mailing list archives
Re: Re: Re: Cookie Security
From: ellukicq () icqmail com
Date: 30 Apr 2008 16:12:27 -0000
If we don't consider the theory at the very first step, we are very likely to end up wasting our time.
If the theory is proven to be sound, that is when you move on.
So I wanted to confirm the fundamentals of proposed solution were ok.
I assume from your response, the basic procedure seems to be reasonable?
Now time for the practice...
"How you gona create hash?"
These are tried and tested algorithms. Both already implemented in a similar way for our authentication mechanism.
"Would it be possible to predict it if I will have 10/20/50 other hashes"
Using 3des should help to mitigate any cryptanalysis attacks.
"...if I will have another data?
in order to build the string, you would require the users password md5 hash (our PSK in this implementation). (not
"Where you will store sessionID and this hash"
The hash & sessionid would be stored in cookies, client side.
Unless you are aware of an alternative location?
"The bad thing is that HTTPOnly works only for Internet Explorer."
Thats a real shame. Sounded so good. (Always the way!).
- Re: Cookie Security, (continued)