Re: (jptxs) Re: Securing Passwords

The cookie should be set to be good only for that session of the browser. The result is that, even using DHCP, it will work just fine, since when the person disconnects and re-connects from elsewhere, they will have to re-login to the central server. Also, what about the idea of having the central server, which (once it checks the passwd), creates a cookie, does an MD5 hash of the cyphertext cookie, then RSA encrypts the hash with a public key. (then base64 encodes it all as one string and sets the cookie).

After that, subsequent calls tear off the signature field, unencrypt it, then compare the result to their own MD5 hash of the rest of the cookie. Since IP and username, etc. are in the cookie, those items can also be tested, giving the same protection as the other methods.

This method is only really usefull of course in a place with multiple servers, one central passwd server, etc. But it works. We use it.

What does this little button do . .<Click>; "USER HAS SIGNED OFF FOR THE DAY"

Comment on Re: (jptxs) Re: Securing Passwords Download Code

Replies are listed 'Best First'.
(jptxs) Re: (jptxs) Re: Securing Passwords by jptxs (Curate) on Apr 02, 2001 at 19:43 UTC
Maybe, maybe not. as tilly notes above, some DHCP servers refresh the address very frequently and it could be the case that the IP would change during one session even. If all they need is the cookie, then you may be fine as in the time that the whole process takes place the cookie is made and they have it and all is well. If the IP is validated in any way, it could change, and therefore invalidate the session. If it is not validated, you could argue that it's prone to spoofing if the cookie is intercepted in transit. The other problem is the case where the DHCP server changes the IP in the middle of the initial validation, then you're really screwed. I worked with security products at a previous company, and, in every case, when they depended in any way on IPs, even the slightest, there were always problems with DHCP. it's a PITA for sure =) `"A man's maturity -- consists in having found again the seriousness one had as a child, at play." --Nietzsche` [download]	[reply] [d/l]

Replies are listed 'Best First'.

(jptxs) Re: (jptxs) Re: Securing Passwords
by jptxs (Curate) on Apr 02, 2001 at 19:43 UTC

tilly

I worked with security products at a previous company, and, in every case, when they depended in any way on IPs, even the slightest, there were always problems with DHCP. it's a PITA for sure =)

"A man's maturity -- consists in having found again the
seriousness one had as a child, at play."   --Nietzsche
[download]

[reply]
[d/l]