> Advantages are that no state is stored in the database and multiple logins > are possible, with simpler code.[2] You can invalidate all logins by changing > the secret key, but can't invalidate individual sessions. > > But that would mean a logout on one client would log out all others, doesn't > it? > > Ignore that question, please. i didn't grasp the important words "no state is > stored..."
It's also possible to implement the variation of stateless HMAC scheme + current stateful "cookie value in database" scheme to allow "log out all sessions" functionality, like in Gmail. 1. Store some random bytes in database per user. This string will be a secret_key for HMAC. 2. Sign cookie values with HMAC(secret_key, value), where value is (login || ip || expiration_time). 3. To logout one session, clear this cookie. 4. To logout all sessions, go to step 1 (replace secret_key in database with a new randomly generated one, thus invalidating all cookies). Note: it's better to use double-HMAC as implemented in my authcookie package for Go language: https://github.com/dchest/authcookie [according to this paper: http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf] -- Dmitry Chestnykh _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
