Re: Re: Safely storing password

When the user logs in I generate a session id string containing their username, a time-stamp and a random string.

My 1st thoughts are, if i want my session to last forever all I have to do is alter the time-stamp... or do you mean you create a session_id based on these values?

Comment on Re: Re: Safely storing password

Replies are listed 'Best First'.
Re: Re: Re: Safely storing password by Bilbo (Pilgrim) on Nov 22, 2002 at 22:32 UTC
Yes, that's what I meant. The username and timestamp are mainly there to avoid the very small risk that two entirely random session ids could be identical. Even if I did use the timestamp to check the age of the session it wouldn't be a problem because if you altered the timestamp then the session id stored in your cookie would not match the one held on the server.	[reply]
Re: Re: Re: Re: Safely storing password by sdyates (Scribe) on May 09, 2003 at 21:45 UTC
After a bit more work, I realised the best way to have my scripts run secure are. THis works really well: `apache_1.3.27.tar.gz mod_ssl-2.8.14-1.3.27.tar.gz openssl-0.9.7a.tar.gz $ cd openssl-0.9.7a $ ./config $ make $ cd .. $ cd mod_ssl-2.8.14-1.3.27 $ ./configure \ --with-apache=../apache_1.3.27 \ --with-ssl=../openssl-0.9.7a \ --prefix=/usr/local/apache $ cd .. $ cd apache_1.3.27 $ make $ make certificate TYPE=custom $ make install $ /usr/local/apache/bin/httpd -DSSL` [download] Make sure to export the secure public key to each client...	[reply] [d/l]