Feature #30378
Cookie authentication
Status: | Closed | Start date: | 2011-09-28 | |
---|---|---|---|---|
Priority: | Could have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | Security | |||
Target version: | - | |||
PHP Version: | Complexity: | |||
Has patch: | No |
Description
It would be nice having a proof cookie authentication possibility on board. I did a bit of research and found the following blog entry:
http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb/
Briefly said, this idea sets a cookie of form
username + ':' + timestamp + ':' + HMAC(username + ':' + timestamp)
Whenever a request arrives having this cookie set and of course matching the hash, the user is considered authenticated.
The most interesting thing is that the cookie is re-set after e.g. 10 minutes, so that hijacking this cookie is limited to a time window of 10 minutes.
Vice versa this means that an expired timestamped cookie is disregarded.
As I need this functionality for my project, I would be delighted to write this; but I think I need some kind of mentor that takes me by the hands, even to discuss some things.
What do you mean?
Related issues
History
#1 Updated by Adrian Föder almost 4 years ago
- Assigned To deleted (
Adrian Föder)
Sorry, I completely missed the thing; what is described above is a kind of session login handling which FLOW3 supplies anyway.
Well, here I found another article that seems to be very interesting:
http://jaspan.com/improved_persistent_login_cookie_best_practice
#2 Updated by Karsten Dambekalns over 3 years ago
- Status changed from New to Closed
- Has patch set to No