March 15th, 2003, 05:48 PM
Cookie authentication and encrypting
I'm writing a web app that uses automatic log in with cookies.
that part is fine and dandy and it works a charm. Now I obviously don't want to store an unencrypted userId in the cookie. I'm just not clear on the public/private key thing and how to store the values (and retrieve them when checking the cookie).
The process goes like this:
user logs in
public and private keys are generated
private key is stored
public key is put into cookie with userId
user comes back to the site
cookie value is retrieved
private key is retrieved
public key is checked against private key
if the keys are valid then the user is logged in
I just don't know exactly how to go about doing this.
can the keys be stored in a database and what datatype should they be? should I store them in a string and then write them to the db? (I'm using PostgreSQL)
will they match up if I convert the String back into a byte array?
I'm a little lost here so any help would be appreciated, thanks
March 16th, 2003, 07:58 PM
I understand your idea to use a public key for some security, but on the top it does not look like this would be much more secure than having an unencrypted cookie on the users machine.
The idea behind not storing a users name and password in a cookie is that anyone can take the cookie and read the info. However, in the case where it is encrypted using a public key, and the user does not have to supply a user name or anything when accessing the site, then all a malicious someone would have to do is take the cookie and put it on another machine to gain access, no? If I am wrong please correct me, maybe I am missing something.
March 16th, 2003, 10:22 PM
you're absolutely right, do you have any suggestions?
I've been thinking about storing a second cookie that has the key in it so that both of them would have to be sniffed at the same time. I'd just put a really short expiration on the second one.
Like I said tho, I'm really open to suggestion on this one.
March 16th, 2003, 10:35 PM
I once setup a system so that certain users were 'auto' logged in. What I used was to let users add an IP to their profile. If they were logging in from this IP, then they were not challenged. This will only work if they have a static IP, dialup need not apply.
This also has some security risks. Some I can think of off the top of my head are:
1) If a user sets an IP to a router, all people behind that router can gain access.
2) If someone WERE to use a dialup IP, the next person to get that IP assigned to them from the ISP would be able to gain access (I realize this is highly unlikely to happen, let alone for the person getting the IP to know and utilize this information).
Anyway, auto logins are inherently unsafe. You better decide how private the information is you are trying to guard and decide if the chance of exposure outways the need for convenience.
btw, you can get a users IP using:
if you were wondering.