Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103891
interpreted = N
texte = --00c09ffb525311a5960476e6264e Content-Type: text/plain; charset=UTF-8 Hi guys, I do the following for session cookies: 1. When a user logs in I create a record in a sessionDB that includes their userID, the time in seconds since epoch, and a unique sessionID using [cart] 2. I set the sessionID as a cookie 3. Each site has a default timeout - usually 30mins, each time a user refreshes a page I reset the time in the session db 4. If the user is inactive for over 30mins then they are kicked out at the next attempt to access a page and the record in the sessionDB is deleted 5. I run an hourly trigger that deletes any records in the sessionDB where the time is over 30mins old I use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in this context. Finally one thing I don't do is check the clients IP, I found that some users accessing the net from within large corporations (i.e Microsoft) accessed the site using different IPs even within the same session. I assume this must be a security feature on the Microsoft end. Take care - Tom --00c09ffb525311a5960476e6264e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi guys,

I do the following for session cookies:

1. When a user logs in I create a record in a sessionDB t= hat includes their userID, the time in seconds since epoch, and a unique se= ssionID using [cart]

2. I set the sessionID as a cookie

=
3. Each site has a default timeout - usually 30mins, each time a user = refreshes a page I reset the time in the session db

4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet= ed

5. I run an hourly trigger that deletes any rec= ords in the sessionDB where the time is over 30mins old

I use this for admin pages on our CMS, so I do not use = persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.

Finally one th= ing I don't do is check the clients IP, I found that some users accessi= ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus= t be a security feature on the Microsoft end.

Take care
- Tom


=
--00c09ffb525311a5960476e6264e-- Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
--00c09ffb525311a5960476e6264e Content-Type: text/plain; charset=UTF-8 Hi guys, I do the following for session cookies: 1. When a user logs in I create a record in a sessionDB that includes their userID, the time in seconds since epoch, and a unique sessionID using [cart] 2. I set the sessionID as a cookie 3. Each site has a default timeout - usually 30mins, each time a user refreshes a page I reset the time in the session db 4. If the user is inactive for over 30mins then they are kicked out at the next attempt to access a page and the record in the sessionDB is deleted 5. I run an hourly trigger that deletes any records in the sessionDB where the time is over 30mins old I use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in this context. Finally one thing I don't do is check the clients IP, I found that some users accessing the net from within large corporations (i.e Microsoft) accessed the site using different IPs even within the same session. I assume this must be a security feature on the Microsoft end. Take care - Tom --00c09ffb525311a5960476e6264e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi guys,

I do the following for session cookies:

1. When a user logs in I create a record in a sessionDB t= hat includes their userID, the time in seconds since epoch, and a unique se= ssionID using [cart]

2. I set the sessionID as a cookie

=
3. Each site has a default timeout - usually 30mins, each time a user = refreshes a page I reset the time in the session db

4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet= ed

5. I run an hourly trigger that deletes any rec= ords in the sessionDB where the time is over 30mins old

I use this for admin pages on our CMS, so I do not use = persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.

Finally one th= ing I don't do is check the clients IP, I found that some users accessi= ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus= t be a security feature on the Microsoft end.

Take care
- Tom


=
--00c09ffb525311a5960476e6264e-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

shownext problems (1998) Strange search... (2001) question on *requiring* a 'cl' search comparison (amongst other required comparisons) (2000) catching WebDNA error messages (2003) Weird Math and SV (1997) [WebDNA] Serial numbers and pricing for WebDNA 7.0 (2011) webcat- multiple selection in input field (1997) Exclamation point (1997) Convertion Tables (2000) search form problem.. (1997) possible, WebCat2.0 and checkboxes-restated (1997) Trouble with formula.db + more explanation (1997) Beta version-Mac? (was Emailer update for Mac?) (1998) Protect Tag and Groups (1998) Preventing Merchant Settling ? (1997) For those of you not on the WebCatalog Beta... (1997) Cookies? (1997) Separate SSL Server (1997) What am I missing (1997) [cart] not being interpreted inside [founditems] (1997)