Gyepi writes: > If you haven't already, read > 'Dos and Don'ts of Client Authentication on the Web' at > http://www.usenix.org/events/sec01/fu/fu_html/index.html
Ah, good to see this did get published; I only read the authors' pre-print version. I'll second the recommendation to read through this paper; it gives a clear description of common mistakes and offers one good solution. If you need to store additional session data besides the session ID in a database, I recommend the following. Generate a random meaningless session ID (containing no username, password, or other user data) and create a MAC based on this as suggested in the paper. Store this session ID/MAC along with the real user data in the DB. When checking a session ID, first check the MAC; this is faster than checking the DB and will help shield your DB machine (assuming it's different from the web server) from a denial of service attack involving forged session IDs. After verifying the MAC, you can extract and check all necessary data from the DB. + Richard J. Barbalace Cambridge, MA
