On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote:
> > 
> >  3) Perl-based applications can just use the module and the common key
> >     to decrypt the contents of the cookie to find the authenticated
> >     username.  If the cookie is not present redirect to the central
> >     authentication page, passing in the URL to return to after
> >     authentication.
> 
> Hmmm... Can I do it securely without using Kerberos? I think so. Looks like
> if I use https instead of http, people won't be able to steal my (encoded)
> session information as it is transmitted. And I can also add the IP address
> to the cookie information.
> 
> But the cookies file might be readable by other people! If they can steal
> that file and change the IP address of another machine to yours, they can
> pretend they are you!
> I wonder if there is a way out of this...

Yes, you use the timestamp.  Just reauthenticate the user when they
try to do 'sensitive' activities.

For example you might allow someone to view their bank balance if they
typed their password within the last 2 hours.  Transferring money
might require a valid password within the last 10 minutes..

Of course, the best authentication system for banking I've seen is
from UBS.  They send you a scratchlist of around 100 numbers.  Every
time you login you use one of the numbers and cross it off.  Very
slick.


-- 
Paul Lindner    [EMAIL PROTECTED]   ||||| | | | |  |  |  |   |   |

    mod_perl Developer's Cookbook   http://www.modperlcookbook.org
         Human Rights Declaration   http://www.unhchr.ch/udhr/index.htm

Reply via email to