LiveWire Network Peer Answers Peer Support Teen Forums Tech Forums College Forums 374 users online 221635 members 118 active today Advertise Here Sign In
TeenCollegeTechPhotos | Quizzes | LiveSecret | Memberlist | Dictionary | News | FAQ
Member Spotlight
Forgot My Name
Movies: Fight Club, that's the best movie ever...
Mood: Sleepy
You have 1 new message.
Emergency Help
Until you sign up you can't do much. Yes, it's free.

Sign Up Now
Membername:
Password:
Already have an account?
Invite Friends
Active Members
Groups
Contests
Moderators
2 online / 38 MPM
Fresh Topics
  LiveWire / Technical Forums / Programming & Application Development / Viewing Topic

Implementing session cookies
Replies: 6Last Post Aug. 15, 2008 9:17pm by telomere13
Welcome to LiveWire!
We're Stronger Together. 		Join the Community
Single page for this topic Email Print Favorite
( Mediocre )


Dairy Product Addict 		Reply
So, I just finished coding the login script for an upcoming project. It relies on a session cookie with a value that is (essentially) the user's password, hashed. I'm worried that someone could steal the value of this cookie and then create "poisoned" cookies with that value whenever they want to impersonate their victim. One way to mitigate this would be to salt the password hash with something (like the day's date) that would make the cookie only work for a limited time.

How do other coders take care of this? Or is it considered acceptable to use a cookie that could last forever?

Salting with the user's IP will not work, because most of my visitors connect via Tor...

Post edited at 8:24 pm on Aug. 15, 2008 by Mediocre

-------
Incest and bestiality are neat.

8:22 pm on Aug. 15, 2008 | Joined: Nov. 2007 | Days Active: 209
Join to learn more about Mediocre Czech Republic | Male | Posts: 1,642 | Points: 3,195
LiveWire Humor
Post from this position was omitted due to content violations
Post from this position was omitted due to content violations
Post from this position was omitted due to content violations
telomere13


Dairy Product Addict
Patron
Tech Support Leader 		Reply
You can put the date in, but you need to make sure that it's secure, because if the person can extract the date from the cookie, they can make their own with any date. So I would say, at very least, use a pseudorandom generator seeded with the date, but if you want any reasonable degree of security, look at the code for an open source messageboard software (like PHPBB).

(edit)Keeping the password's key, forever, is really no better than storin the password in plain text.

Post edited at 8:32 pm on Aug. 15, 2008 by telomere13

-------
http://www.golivewire.com/forums/peer-yatapys-support-a.html

8:31 pm on Aug. 15, 2008 | Joined: April 2005 | Days Active: 1,293
Join to learn more about telomere13 Wisconsin, United States | Label Free Male | Posts: 5,422 | Points: 31,312
( Mediocre )


Dairy Product Addict 		Reply
Well, I decided to name the cookie (something to the effect of)
Code:
"orly_".sha1(CzQTqaxd29TP1zag9AlENL0sMPsaNGiNju2nhoRZ.date('zYF'))
I don't see how this could realistically be reversed.

-------
Incest and bestiality are neat.
9:13 pm on Aug. 15, 2008 | Joined: Nov. 2007 | Days Active: 209
Join to learn more about Mediocre Czech Republic | Male | Posts: 1,642 | Points: 3,195
telomere13


Dairy Product Addict
Patron
Tech Support Leader 		Reply
I have no idea what language you're using so that means absolutely nothing to me.  

That said, is the date reversible in any way?  As long as the date is reversible and the rest is constant, all you need to do to make a fake cookie is use the current date with the constant part.

-------
http://www.golivewire.com/forums/peer-yatapys-support-a.html

9:17 pm on Aug. 15, 2008 | Joined: April 2005 | Days Active: 1,293
Join to learn more about telomere13 Wisconsin, United States | Label Free Male | Posts: 5,422 | Points: 31,312
Single page for this topic Email Print Favorite

Quick Reply

You are signed in as our guest.

Looking for something else?
 

  LiveWire / Technical Forums / Programming & Application Development / Viewing Topic

© 2000-2009 LiveWire Peer Support Network
Custom Web Hosting | Teen Advice | Peer Support