[thelist] Bypassing a login
David.Cantrell at Gunter.AF.mil
David.Cantrell at Gunter.AF.mil
Tue Jan 28 11:04:19 CST 2003
>Thanks for the tip, I guess that is pretty obvious isn't it. I imagine
that
>this could also be extended to include when the user travels outside of the
>secure area to the home page or photogallery. Set a cookie that holds the
>same info? or should I generate some new information once the user is
logged
>in to keep track of the session?
I wouldn't use a cookie. What if you just set a cookie to read
"authenticated" and then I decide to spoof it? Of course *knowing* what your
cookie is structured like without actually *having* one (because I'm not
authenticated) would be tough, but still I don't like the idea of storing
authentication information in a plain-text file on the user's machine.
ASP/ASP.NET (and CF and PHP and JSP...) have the ability to perform session
management through a simple automatic cookie which is placed and references
the session id, so the server can track session state across requests. And
it persists for 20 minutes (by default) past the user's last access to the
affected application, so they can go to other areas of the site and then
come back within that time window and still be authenticated.
-dave
More information about the thelist
mailing list