Re: tracking logins

On Tue, 27 Jan 2009 17:26:15 -0800, Roedy Green
<see_website@xxxxxxxxxxxxxxxxxxxx> wrote, quoted or indirectly quoted
someone who said :

What schemes have you seen/conceived of for a server to keep track of
which login session a client is?

summarising what I have learned:

You might wonder how after the login is complete that the server can
tell if messages coming in from the Internet are from people who are
already logged in. There are a number of ways of doing it. Some you
might think would work don?t.


1. By IP. You might think the server could just check if an IP in a
message header was from someone logged in. This does not work because
IPs are shared. Everyone in your home on the LAN, when the access the
Internet comes from the same IP, the IP of your router.

2. By TCP/IP session. You might think the server would just check that
the message came in on the same TCP/IP session as the user logged in
on. This won't work since you often connect with multiple sessions,
and you would not want to have to relogin just because a session
tanked.

3. Basic. The server sends you id/password with every request that is
restricted. This method is not secure since the id/password pair is in
plain text for any snoop to see.

4. NTLM. This is a Microsoft proprietary protocol than will only work
with Microsoft servers and clients. I don?t know how it works. Java
supports it.

5. By Cookie. The server sends a cookie at login time, and the user
includes this cookie with each message to the server. This method is
not secure since anyone snooping can spoof the user by just copying
the invariant cookie. Further, the client?s browser must be configured
to accept cookies, a practice which invites all manner of malicious
spying.

6. By HTTP auth digest. RFC 2617 Here each incoming message is
digitally signed in an unforgeable way. The disadvantage of this
approach is it takes a bit more CPU time to compute the digests and
requires the more transmission overhead. The advantage is it is the
most secure method without resorting to a fully encrypted data stream.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"Here is a point of no return after which warming becomes unstoppable
and we are probably going to sail right through it.
It is the point at which anthropogenic (human-caused) warming triggers
huge releases of carbon dioxide from warming oceans, or similar releases
of both carbon dioxide and methane from melting permafrost, or both.
Most climate scientists think that point lies not far beyond 2°C (4°F) C hotter."
~ Gwynne Dyer
.

Relevant Pages

  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • Re: web replication
    ... Session cookies relate to memory in the server, ... cookie, then yes it's a problem if one cannot be certain of which box ... , i'm actually studying the lvs documentation, ipvs via nat use nat to ...
    (comp.os.linux.networking)
  • Re: Slow TS logon from dumb terminals.
    ... Is a login from the console also slow? ... Do the users run a login script? ... if the Real-time protection component runs in every user session. ... No virus protection as only the server has s CD Rom/USB Access/Floppy. ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Best way to remember a logged in user
    ... >> a logout button or try to login unsuccessfully, ... Surely they do not leave the session active for a user who has not ... It must be through a cookie then - but ... account until the uniqid was changed. ...
    (comp.lang.php)
  • Re: $_SESSION problem - page reload creates new Session ID
    ... > set on a page just viewed because there is a new session created ... As fas as the server is concerned all requests are independant. ... cookie back to the server. ...
    (comp.lang.php)