We're starting to get some data now and I'm seeing a few minor problems with the implementation of the idea.
Here's one: if a request arrives with a cookie that is associated with a different IP address then we create a new session entry and send a new cookie. I'm noticing that some users have IP addreses that change very frequently. This seems particularly likely with mobile devices. We're going to have to tweak the algorithm a bit to track activity across those requests - or use some attribute of the IP address instead of just the IP address - to trigger rotation of the session identity. On Sun, Oct 11, 2009 at 10:19 AM, Randal L. Schwartz <mer...@stonehenge.com>wrote: > >>>>> "Douglas" == Douglas Sims <ratsb...@gmail.com> writes: > > Douglas> I've tried to follow the philosophy that Randal Schwartz described > in > Douglas> a recent thread here - a cookie is just a serial number for a > Douglas> browser. By rotating the cookies often we're hoping to avoid > Douglas> problems with stolen or leaked sessions and by storing the > previous > Douglas> session id (if there is one) with every new session we're planning > to > Douglas> be able to build a linked list of session activity which we can > Douglas> correlate with specific users who log in at any part of that > linked > Douglas> list. > > That's an interesting idea... brand the browser, but rotate it from time to > time, maintaining a list. Thanks for suggesting that... I'll have to > explore > that in some future project. > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > <mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside > discussion >