Re: [WebDNA] Secure Cookies
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 103891
interpreted = N
texte = --00c09ffb525311a5960476e6264eContent-Type: text/plain; charset=UTF-8Hi guys,I do the following for session cookies:1. When a user logs in I create a record in a sessionDB that includes theiruserID, the time in seconds since epoch, and a unique sessionID using [cart]2. I set the sessionID as a cookie3. Each site has a default timeout - usually 30mins, each time a userrefreshes a page I reset the time in the session db4. If the user is inactive for over 30mins then they are kicked out at thenext attempt to access a page and the record in the sessionDB is deleted5. I run an hourly trigger that deletes any records in the sessionDB wherethe time is over 30mins oldI use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in thiscontext.Finally one thing I don't do is check the clients IP, I found that someusers accessing the net from within large corporations (i.e Microsoft)accessed the site using different IPs even within the same session. Iassume this must be a security feature on the Microsoft end.Take care- Tom--00c09ffb525311a5960476e6264eContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableHi guys,
I do the following for session cookies:
1. When a user logs in I create a record in a sessionDB t=hat includes their userID, the time in seconds since epoch, and a unique se=ssionID using [cart]
2. I set the sessionID as a cookie
=3. Each site has a default timeout - usually 30mins, each time a user =refreshes a page I reset the time in the session db
4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet=ed
5. I run an hourly trigger that deletes any rec=ords in the sessionDB where the time is over 30mins old
I use this for admin pages on our CMS, so I do not use =persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.
Finally one th=ing I don't do is check the clients IP, I found that some users accessi=ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus=t be a security feature on the Microsoft end.
Take care
- Tom
=
--00c09ffb525311a5960476e6264e--
Associated Messages, from the most recent to the oldest:
--00c09ffb525311a5960476e6264eContent-Type: text/plain; charset=UTF-8Hi guys,I do the following for session cookies:1. When a user logs in I create a record in a sessionDB that includes theiruserID, the time in seconds since epoch, and a unique sessionID using [cart]2. I set the sessionID as a cookie3. Each site has a default timeout - usually 30mins, each time a userrefreshes a page I reset the time in the session db4. If the user is inactive for over 30mins then they are kicked out at thenext attempt to access a page and the record in the sessionDB is deleted5. I run an hourly trigger that deletes any records in the sessionDB wherethe time is over 30mins oldI use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in thiscontext.Finally one thing I don't do is check the clients IP, I found that someusers accessing the net from within large corporations (i.e Microsoft)accessed the site using different IPs even within the same session. Iassume this must be a security feature on the Microsoft end.Take care- Tom--00c09ffb525311a5960476e6264eContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableHi guys,
I do the following for session cookies:
1. When a user logs in I create a record in a sessionDB t=hat includes their userID, the time in seconds since epoch, and a unique se=ssionID using
[cart]
2. I set the sessionID as a cookie
=3. Each site has a default timeout - usually 30mins, each time a user =refreshes a page I reset the time in the session db
4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet=ed
5. I run an hourly trigger that deletes any rec=ords in the sessionDB where the time is over 30mins old
I use this for admin pages on our CMS, so I do not use =persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.
Finally one th=ing I don't do is check the clients IP, I found that some users accessi=ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus=t be a security feature on the Microsoft end.
Take care
- Tom
=
--00c09ffb525311a5960476e6264e--
Tom Duke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
RE: E-mailer error codes (1997)
Getting total number of items ordered (1997)
Interfacing WebMerchant to www.fedex.com (1997)
multiple db's (2003)
form data submission gets truncated (1997)
RE: Automatic Forwarding using WebCat (1997)
Weird Math and SV Bad News (1997)
URL for Discussion Archive (1997)
Just testing (2003)
Grouping search fields, etc. (1997)
Itools, WEBCAT OSX (2003)
2.0Beta Command Ref (can't find this instruction) (1997)
web delivery (1997)
EMailFolder (2007)
Here's how to kill a Butler Database. (1997)
WebCat2b13MacPlugIn - [include] doesn't allow creator (1997)
Search for 20 finds 2000, 200 Why? (1997)
[LOOKUP] (1997)
[WebDNA] WebDNA 7 (2011)
Country & Ship-to address & other fields ? (1997)