This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: Vsevolod Ilyushchenko <simonf@cshl.edu> From: Ed Grimm <ed@tgape.org> Subject: Re: Single login/sign-on for different web apps? Date: Wed, 16 Jan 2002 18:28:48 -0500 (EST) On Wed, 16 Jan 2002, Paul Lindner wrote: > On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote: >>> >>> 3) Perl-based applications can just use the module and the common key >>> to decrypt the contents of the cookie to find the authenticated >>> username. If the cookie is not present redirect to the central >>> authentication page, passing in the URL to return to after >>> authentication. >> >> Hmmm... Can I do it securely without using Kerberos? I think so. Looks like >> if I use https instead of http, people won't be able to steal my (encoded) >> session information as it is transmitted. And I can also add the IP address >> to the cookie information. >> >> But the cookies file might be readable by other people! If they can steal >> that file and change the IP address of another machine to yours, they can >> pretend they are you! >> I wonder if there is a way out of this... > > Yes, you use the timestamp. Just reauthenticate the user when they > try to do 'sensitive' activities. No, use session cookies - they're not stored on disk. If you need the system to retain knowledge through a browser shutdown, you can use a timestamped cookie to retain the user ID, but don't have it allow them to do anything other than not have to type their user ID in again (password screen has user ID filled out for them.) One can also mark the cookies such that they'll only be transmitted over https. $cookie = CGI::Cookie->new(-name => 'login', -value => tgape::setcookiepassword($uid, $pass), -domain => '.tgape.org', -path => '/', -secure => 1, ); If you feel the need to timestamp your session cookies, make the cookie include an encrypted timestamp. > For example you might allow someone to view their bank balance if they > typed their password within the last 2 hours. Transferring money > might require a valid password within the last 10 minutes.. Ah, but many systems will refresh a cookie on activity. So they view their balance, get a new cookie, and then transfer money. > Of course, the best authentication system for banking I've seen is > from UBS. They send you a scratchlist of around 100 numbers. Every > time you login you use one of the numbers and cross it off. Very > slick. All I need to do is find where you left the list. Written passwords are not anywhere near as secure as memorized passwords, unless the person carrying them around is really conscious about security concerns. ===