On Thu, 20 Apr 2000, DeWitt Clinton wrote:
> 5) The secure token is associated on the server side (preferably on
> another tier, such as a database) with the user identification token.
> Additionally, to support secure session timeouts, the current time
> must be recorded.
An easy way to implement timeouts is to store a timestamp and a lifetime
in the secure token itself. For instance, the handler I wrote for our
web-based administration system at work concatenates the user's username,
ip address, the current time, and a lifetime then encrypts them with
Blowfish and sends out the ciphertext in a cookie. Each time a user
connects, the PerlAuthenHandler decrypts the token and verifies that
timestamp + lifetime > current time.
> Briefly, the advantage to using cookies is that:
>
> a) The user identification token can persist between browser sessions,
> provided they don't explicitly log out.
Another big win is that the secure token can persist across multiple
servers. I implemented my cookie-based PerlAuthenHandler because our
administration system is spread out over four servers. Using Basic
authentication, users had to re-enter their password for each one. With
cookies, they can authenticate once on the main server and access the rest
with the token.
> Over the past six months, eZiba was overwhelmed by requests to use
> this technology. I'm happy to say that we are spinning of a new
> venture, Avacet, Inc., to make this platform available to the
> community. And here's the best part -- everything Avacet does will be
> available open source and free via the GPL.
I look forward to seeing it.
- Matt