Joao S. O. Bueno
gwidion at mpc.com.br
Tue Nov 25 00:32:40 EST 2003
On Monday 24 November 2003 16:55, Michael C. Neel wrote: > 1. base64 decode it, and check our md5 sig > 2. ungzip the string and parse it back to it's object/string form > 3. make sure the IP, user-agent match the current request > 4. make sure the timestamp is within our limit for a login > > Now even if someone gets a copy of the cookie, if they don't know > the MD5 key they can't alter it. Most likely their ip and or > user-agent won't match either, but if it does the odds are the > timeout may have been reached already, esp if it's kept low like 5 > or 10 minutes. > > Mike Wow...I got it all right without asking. >From everything you wrote, the only thing I did not do was: encode the user agent string - I just used the client IP. And I did not use GZIP because the MD5 hash has got a fixed length. Oh..no..let's see...it is a bit different, what I had done: 1) pick up login time, client IP, server side Key, random session ID strings and save them server side 2) generate a MD5 hash from the above and use it as a cookie. 3) at each page load, pick the cookie, and compare it with one regenerated from strings saved on the server side, (and client IP). If there is no time out, and the hashed strings matched, serve the page. Again, I am not using mod_python's sessions because I am restricted to mod_python 2.7.x for this project. Regards, JS -><-
|