RE: [WebDNA] Encode cookies ONLY via "method=Base64"
This WebDNA talk-list message is from 2008
It keeps the original formatting.
numero = 101274
interpreted = N
texte = What about just creating a new field in your user table called =hiddenval. Then when a person logs in, write a cookie with a random =number and set that field to the same number for the logged in user. =When you check if a person is logged in, all you have to do is perform =one lookup to check the cookie against the hidden field value and if a =match is found then the record of the validated user is returned. So no =matter how hard someone tries to crack your cookie code, it doesn't =matter. It is always completely random.Using this method it is also easy to create the "keep me logged in" =option for folks. If checked, then don't expire the cookie. If not =checked, then expire after the session is pau.Oh if you do this you have to make sure each time you set a cookie it is =guaranteed to be random or you will get folks logged in as others!Aloha, Olin-----Original Message-----From: Kenneth Grome [mailto:kengrome@gmail.com]=20Sent: Sunday, October 26, 2008 9:57 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"> I'm curious what you might be using as a routine to> generate that string of 500 random characters.I just entered 26 lowercase and 26 uppercase alpha chars and=2010 digits into a db file, one record for each char, then I=20do a search for all records which gives me 62 total chars=20that can be retrieved, but I limit the search to the first=2030 chars and I run the search inside a loop that iterates=2070 times thus giving me a string of 2100 chars. I guess I=20could use other chars in the db but I know that=20alphanumerics won't create problems so I'll probably just=20stick with what I have for now.Then I create a random number between 1 and 1000 using=20several [random] tags and getchars which limits the=20resulting random number to 3 chars in length, and I use=20this [rn] as the start value with 999+[rn] as the end value=20in another getchars to extract a contiguous segment of the=201000 random chars from the original 2100 random char=20string -- so yes I'm using 1000 chars now rather than the=20500 chars previously mentioned.Then I use another db with 50 fields and 50 records, each=20field containing one unique value ranging from 1-999. =20These values appear in random order in the columns in the=20db and there are no duplicates in these columns, so that=20when I search this db via rank=3Doff I get 50 non-duplicate=20values ranging from 1-999 in whatever field I choose to=20retrieve.Next I count the number of characters in the "string to be=20encoded" which consists of the username then a separator=20string then the password all concatenated together. The=20number of chars in this string determines which field of=20values to retrieve from my 50x50 db. Each of the 50=20retrieved values in the selected field represents a=20character positions in my original 1000 char random=20string ... =20I simply take the value from the first (then second, then=20third, etc.) record in the db, find the char position=20corresponding to that value (1-999) in the string of 1000=20chars, and replace that char with the first (then second,=20then third, etc.) char appearing in my "string to be=20encoded". =20When all the chars in my "string to be encoded" have=20replaced the appropriate chars in my 1000 char string I use=20Base64 to further encode the resulting 1000 char string=20which becomes 1/3 longer, and that's the value I set as the=20cookie that identifies whether or not the visitor is valid=20and logged in.That's as far as I've gotten with it, and I haven't tested=20its speed yet but hopefully it will be 'fast enough'.:)Sincerely,Ken Grome
Associated Messages, from the most recent to the oldest:
What about just creating a new field in your user table called =hiddenval. Then when a person logs in, write a cookie with a random =number and set that field to the same number for the logged in user. =When you check if a person is logged in, all you have to do is perform =one lookup to check the cookie against the hidden field value and if a =match is found then the record of the validated user is returned. So no =matter how hard someone tries to crack your cookie code, it doesn't =matter. It is always completely random.Using this method it is also easy to create the "keep me logged in" =option for folks. If checked, then don't expire the cookie. If not =checked, then expire after the session is pau.Oh if you do this you have to make sure each time you set a cookie it is =guaranteed to be random or you will get folks logged in as others!Aloha, Olin-----Original Message-----From: Kenneth Grome [mailto:kengrome@gmail.com]=20Sent: Sunday, October 26, 2008 9:57 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"> I'm curious what you might be using as a routine to> generate that string of 500 random characters.I just entered 26 lowercase and 26 uppercase alpha chars and=2010 digits into a db file, one record for each char, then I=20do a search for all records which gives me 62 total chars=20that can be retrieved, but I limit the search to the first=2030 chars and I run the search inside a loop that iterates=2070 times thus giving me a string of 2100 chars. I guess I=20could use other chars in the db but I know that=20alphanumerics won't create problems so I'll probably just=20stick with what I have for now.Then I create a random number between 1 and 1000 using=20several
[random] tags and getchars which limits the=20resulting random number to 3 chars in length, and I use=20this [rn] as the start value with 999+[rn] as the end value=20in another getchars to extract a contiguous segment of the=201000 random chars from the original 2100 random char=20string -- so yes I'm using 1000 chars now rather than the=20500 chars previously mentioned.Then I use another db with 50 fields and 50 records, each=20field containing one unique value ranging from 1-999. =20These values appear in random order in the columns in the=20db and there are no duplicates in these columns, so that=20when I search this db via rank=3Doff I get 50 non-duplicate=20values ranging from 1-999 in whatever field I choose to=20retrieve.Next I count the number of characters in the "string to be=20encoded" which consists of the username then a separator=20string then the password all concatenated together. The=20number of chars in this string determines which field of=20values to retrieve from my 50x50 db. Each of the 50=20retrieved values in the selected field represents a=20character positions in my original 1000 char random=20string ... =20I simply take the value from the first (then second, then=20third, etc.) record in the db, find the char position=20corresponding to that value (1-999) in the string of 1000=20chars, and replace that char with the first (then second,=20then third, etc.) char appearing in my "string to be=20encoded". =20When all the chars in my "string to be encoded" have=20replaced the appropriate chars in my 1000 char string I use=20Base64 to further encode the resulting 1000 char string=20which becomes 1/3 longer, and that's the value I set as the=20cookie that identifies whether or not the visitor is valid=20and logged in.That's as far as I've gotten with it, and I haven't tested=20its speed yet but hopefully it will be 'fast enough'.:)Sincerely,Ken Grome
"Olin Lagon"
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
ampersand in a sendmail body (2007)
Permision deny. (2005)
encrypt (2000)
WebMerchant? (1998)
Correct Linux Version for WC 6 (2006)
WebCat2b13MacPlugIn - [include] (1997)
Date Calulation (1997)
encrypting templates.... (2000)
the dreaded unitShipCost (2003)
Keep away (1997)
SPAM is SPAM is SPAM.... Smith Micro - no competition (2000)
ShowNext for method=POST (1997)
Pithy questions on webcommerce & siteedit (1997)
Sorting error (1997)
Install Webcatalog under NT4.0 and Microsoft IIS 2.0 (1997)
I'm having trouble using [url][interpret][math] together in lookup (1997)
RE: [WebDNA] JSONStore Levels (2020)
how to post without certain data appearing in the html source (2001)
[WebDNA] Ubuntu 14 install of Server 8.1 failed with 404s (2016)
[shownext] (1998)