Re: password questions

From: "Oliver Wong" <owong@xxxxxxxxxxxxxx>
Date: Wed, 08 Feb 2006 17:54:53 GMT

"Roedy Green" <my_email_is_posted_on_my_website@xxxxxxxxxxxxxx> wrote in
message news:ab98u1lkfeu49o3diesp25dtd2951bpqqu@xxxxxxxxxx

How does the server remember that a client is logged in? Does the
browser send a cookie each time? Is some sort of login dance done on
ever transaction? is the userid/pasword embedded in the URL every
time?

What's usually done in the PHP world is that the first time a browser
goes to a site, it has no cookie, and says so when asked for one. So the
server then asks for username and password, which the browser provides. The
server then gives a cookie which contains a random number between 1 and a
gazillion. The server stores all relevant information (e.g. username and
password) in a file whose filename is the same as the number given to the
browser. Let's say, for example, the server gave the browser the number "42"
for the cookie.

The next request, the browser ask for a page, and gives the cookie with
the number "42". The server then looks a its files, finds the one labelled
"42", and now has the username and password and any other useful information
locally, all without the browser re-sending it.

Periodically, the server may delete all the files which are older than 5
minutes, for example.

A cracker makes a request, trying to masquerade as the authenticated
user. The server will ask for the number in the cookie. Since the cookie
number is any random number between 1 and a gazillion, and there are only,
say, 1 million active users at a time, the chances of the cracker guessing a
number that is currently in use is 1 million divided by 1 gazillion.

Generally, it's easier for the cracker just to say he doesn't have a
cookie, and try to guess the passwords, rather than guessing the cookie
number, because people tend to choose insecure passwords.

- Oliver

.

References:
- password questions
  - From: Roedy Green

Prev by Date: Re: Generating Random Numbers between a potentially negative range
Next by Date: Re: what are the other ways to prevent a class from being subclassed. one way is to declare the class final.
Previous by thread: Re: password questions
Next by thread: Hot Swapping Resources
Index(es):
- Date
- Thread

Relevant Pages

Re: deleting cookies and local browser time versus server time
... Our server ... is in a different time zone than the browser I'm developing on. ... How can I test cookie expiration with that? ...
(comp.lang.php)
Re: error code 0x80072EFD
... [CallerId = AutomaticUpdates] ... cookie, reporting URL = ... the server with hr = 80072efd. ...
(microsoft.public.windowsupdate)
RE: forms authentication cookie problem
... authentication cookie. ... what's going on on the server. ... >324488 Forms Authentication and View State Fail ... >characters, the browser will still request the page, but ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Login for access to certain pages or parts?
... I know roughly what an .htaccess file is and I have access to more than this on my own server, but not more on commercial servers that host various sites I have made or maintain. ... The successful login routine sets the cookie by testing to see if the password the user has entered matches the one in your database for that user. ... For pages that can be accessed by multiple groups, your authorize function could be passed a comma-delimited list of allowable groups for that page. ... // Authorizes user based on group, redirects if necessary. ...
(alt.php)
[REVS] Cross Site Cooking
... Get your security news from a reliable source. ... On sites where authentication data is tied on a server to a session ID, ... Let's begin with a quick primer on cookie parsing: ... For security purposes, the browser ...
(Securiteam)