On Mon, 11 Oct 1999, Ofer Inbar wrote:
> Eugene Sotirescu <[EMAIL PROTECTED]> wrote:
[...snipped...]
>
> When a browser session comes in without appropriate authentication
> cookies, they get a login screen. When they post username and
> password, check that against the locally stored user table, and if
> they match, issue a set of authentication cookies. These hold three
> pieces of information:
> - the username
> - the date-time (seconds since epoch) these cookies were issued
> - an MD5 hash
>
> The hash is of: username, per-user secret, application secret,
> application's version number, IP address of browser session, and
> time cookies were issued.
>
[...lots more snipped...]
I am curious because I've seen this sort of statement a couple times.
Wouldn't passing the username and time of the cookie issuance weaken the
MD5 hash since you would be giving a perpetrator more information to
create the MD5 hash themselves? It seems to me that at the very least,
don't pass the time to the user because that doesn't add value to the
client side.
Later,
Gunther
