#1
  1. No Profile Picture
    Cthulu-ish
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Seattle
    Posts
    31
    Rep Power
    13

    Cookie authentication and encrypting


    I'm writing a web app that uses automatic log in with cookies.

    that part is fine and dandy and it works a charm. Now I obviously don't want to store an unencrypted userId in the cookie. I'm just not clear on the public/private key thing and how to store the values (and retrieve them when checking the cookie).

    The process goes like this:

    user logs in
    public and private keys are generated
    private key is stored
    public key is put into cookie with userId

    user comes back to the site
    cookie value is retrieved
    private key is retrieved
    public key is checked against private key
    if the keys are valid then the user is logged in


    I just don't know exactly how to go about doing this.

    can the keys be stored in a database and what datatype should they be? should I store them in a string and then write them to the db? (I'm using PostgreSQL)

    will they match up if I convert the String back into a byte[] array?

    I'm a little lost here so any help would be appreciated, thanks
  2. #2
  3. No Profile Picture
    Clueless llama
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Feb 2001
    Location
    Lincoln, NE. USA
    Posts
    2,353
    Rep Power
    117
    I understand your idea to use a public key for some security, but on the top it does not look like this would be much more secure than having an unencrypted cookie on the users machine.

    The idea behind not storing a users name and password in a cookie is that anyone can take the cookie and read the info. However, in the case where it is encrypted using a public key, and the user does not have to supply a user name or anything when accessing the site, then all a malicious someone would have to do is take the cookie and put it on another machine to gain access, no? If I am wrong please correct me, maybe I am missing something.
  4. #3
  5. No Profile Picture
    Cthulu-ish
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Seattle
    Posts
    31
    Rep Power
    13
    you're absolutely right, do you have any suggestions?

    I've been thinking about storing a second cookie that has the key in it so that both of them would have to be sniffed at the same time. I'd just put a really short expiration on the second one.

    Like I said tho, I'm really open to suggestion on this one.

    thanks
  6. #4
  7. No Profile Picture
    Clueless llama
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Feb 2001
    Location
    Lincoln, NE. USA
    Posts
    2,353
    Rep Power
    117
    I once setup a system so that certain users were 'auto' logged in. What I used was to let users add an IP to their profile. If they were logging in from this IP, then they were not challenged. This will only work if they have a static IP, dialup need not apply.

    This also has some security risks. Some I can think of off the top of my head are:
    1) If a user sets an IP to a router, all people behind that router can gain access.
    2) If someone WERE to use a dialup IP, the next person to get that IP assigned to them from the ISP would be able to gain access (I realize this is highly unlikely to happen, let alone for the person getting the IP to know and utilize this information).

    Anyway, auto logins are inherently unsafe. You better decide how private the information is you are trying to guard and decide if the chance of exposure outways the need for convenience.

    btw, you can get a users IP using:
    Code:
    request.getRemoteAddr();
    if you were wondering.

IMN logo majestic logo threadwatch logo seochat tools logo