|
Walden, I'm going to have to admit to a case of not seeing the forest for the trees on this one (still, messing with CIPHER was fun and I will need to use what I developed down the road) or at least trying too hard to make what I'm doing work more like the save password feature in IE and Mozilla based browsers. We're currently using a session cookie that's basically what you describe as option three. The session cookie is a hash of a GUID and a few other things and we store the hash and an expiration date in a table. Since it's a session cookie that expires after a period of inactivity, we're not putting anything to lock it to a single machine but that's a great idea. Thanks, Matt -----Original Message----- From: Walden H. Leverich [mailto:WaldenL@xxxxxxxxxxxxxxx] Sent: Wednesday, October 06, 2004 9:29 AM To: Web Enabling the AS400 / iSeries Subject: [WEB400] FW: CIPHER'n problem All, This is moved from the RPG list since it's become a Web topic, not an RPG topic. Matt, I still wouldn't store the password in the cookie, encrypted or not. If someone breaks the encryption, or just hijacks the cookie, they'll be able to get on w/o a problem and no one will know. Since you've moved to forms-based authentication you have many more options since you are in complete control of the process. We've done a couple of ways in the past. First, store the username and a flag that says they're authenticated. The advantage here is that while they can still hijack the cookie, at least then can't get the password to allow them access from anywhere since the password isn't in the cookie. The disadvantage is that a change of the password on the server side doesn't invalidate the stored login. Second, store the username and a hash of the password, but not the password itself. This way if the password is changed on the server side the hash is now different and invalid. Third, and my current favourite, store a GUID in the cookie. The GUID is your key to a server-side table that contains a list of "remember me" entries. If they have a valid "remember me" then they bypass the login process. The advantage here is that you can kill all "remember me" entries for a user by deleting the rows in the table. So if the user doesn't have access to a PC any longer he can still force that PC to forget. You can also add logic like allowing a user to remember me from only one PC at a time. When they click remember me from the second PC you delete the row for the old PC. The only thing you need to take care of is how you deal with changed passwords. You can just delete all remember me entries when the password changes, or store some hash of the password in the remember me row. JMTCW. -Walden ------------ Walden H Leverich III President & CEO Tech Software (516) 627-3800 x11 WaldenL@xxxxxxxxxxxxxxx http://www.TechSoftInc.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) -----Original Message----- From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of Haas, Matt Sent: Tuesday, 05 October, 2004 13:55 To: RPG programming on the AS400 / iSeries Subject: RE: CIPHER'n problem I know better than to save credit card or SSN information in a cookie (encrypted or not). Basically, what we did is switch from basic authentication to using forms and I've been asked for the site to remember the login information so the customers don't need to type in their user id and password (basically, the same functionality the "remember me" check box in the basic auth dialog gives you). If my thinking's correct, this will be better security than what we had with basic auth since login information will be passed both to and from the server encrypted instead of Base64 encoded. If you have better ideas about accomplishing this, I'd love to hear them but we should either go off-list or switch to either Web-400 or Ignite/400 since it really isn't an RPG topic. If nothing else, I know there are other things coming up that will require encryption and now I have a working program to use as a base for something production level. Matt -----Original Message----- From: Walden H. Leverich [mailto:WaldenL@xxxxxxxxxxxxxxx] Sent: Tuesday, October 05, 2004 12:28 PM To: RPG programming on the AS400 / iSeries Subject: RE: CIPHER'n problem >For an upcoming project, I need to store some encrypted data in >a cookie which has me looking at using the CIPHER MI >instruction to do this. OK, I know this isn't what you asked, but I can't resist... WHY? You shouldn't be saving anything in a cookie that needs to be encrypted. If you're saving any personal information (name, credit card #, SSN, etc.) in the cookie, please don't. If you're saving the key to your server-side files that contain that information then why bother encrypting it? -Walden ------------ Walden H Leverich III President & CEO Tech Software (516) 627-3800 x11 WaldenL@xxxxxxxxxxxxxxx http://www.TechSoftInc.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.)
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.