|
Simon Willison
cs1spw at bath.ac.uk
Mon Nov 24 13:56:15 EST 2003
Michael C. Neel wrote: > ...now when we decode the cookie... > > 1. base64 decode it, and check our md5 sig > 2. ungzip the string and parse it back to it's object/string form > 3. make sure the IP, user-agent match the current request > 4. make sure the timestamp is within our limit for a login One potential problem with checking the IP is that some people access the internet through a rotating proxy, meaning that subsequent requests might come from a different IP address (I've heard AOL does this). One way around this would be to check that at least the first two parts of the IP address stayed the same as only the last two would be likely to change if a rotating proxy was in use.
|