Another way to keep this secure is discussed in the book Writing Modules for Apache with C and Perl (O'Reilly's "mod_perl" book, basically :).
Store a random string (generate it however you want; talk to the cryptography experts for advice if you want it to be truly random :) on the server that nobody has access to except the processes on the server that handle authentication. When a user logs in, store a cookie on his local machine that contains a few variables (like username, last access time, etc.) but *not* the user's password or the secret key.
The other field to store should be a hash. The example the mod_perl book shows just uses MD5 -- you build a string concatenating that secret key, the user name, login time, last access, requesting IP address, etc. then send that hash along with the rest of the fields.
The upshot of this is you can detect tampering of the cookie (copied to another box, changed username or last-access time, etc.) and immediately kill the session it refers to (or take whatever action you want) when you notice the difference. The fields in the cookie are only valid if the hash is also valid, and only the server can create a valid hash.
Combine this with a check to see how long it's been since the user last access a secured page, and if it's over your threshold (say 30 minutes) you immediately redirect to a login page and only on success would you redirect back to the session. It's a VERY neat example in the book.
In reply to Re: Cookie based authentication: Is it secure?
by Anonymous Monk
in thread Cookie based authentication: Is it secure?
by rodry
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |