Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103891
interpreted = N
texte = --00c09ffb525311a5960476e6264e Content-Type: text/plain; charset=UTF-8 Hi guys, I do the following for session cookies: 1. When a user logs in I create a record in a sessionDB that includes their userID, the time in seconds since epoch, and a unique sessionID using [cart] 2. I set the sessionID as a cookie 3. Each site has a default timeout - usually 30mins, each time a user refreshes a page I reset the time in the session db 4. If the user is inactive for over 30mins then they are kicked out at the next attempt to access a page and the record in the sessionDB is deleted 5. I run an hourly trigger that deletes any records in the sessionDB where the time is over 30mins old I use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in this context. Finally one thing I don't do is check the clients IP, I found that some users accessing the net from within large corporations (i.e Microsoft) accessed the site using different IPs even within the same session. I assume this must be a security feature on the Microsoft end. Take care - Tom --00c09ffb525311a5960476e6264e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi guys,

I do the following for session cookies:

1. When a user logs in I create a record in a sessionDB t= hat includes their userID, the time in seconds since epoch, and a unique se= ssionID using [cart]

2. I set the sessionID as a cookie

=
3. Each site has a default timeout - usually 30mins, each time a user = refreshes a page I reset the time in the session db

4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet= ed

5. I run an hourly trigger that deletes any rec= ords in the sessionDB where the time is over 30mins old

I use this for admin pages on our CMS, so I do not use = persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.

Finally one th= ing I don't do is check the clients IP, I found that some users accessi= ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus= t be a security feature on the Microsoft end.

Take care
- Tom


=
--00c09ffb525311a5960476e6264e-- Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
--00c09ffb525311a5960476e6264e Content-Type: text/plain; charset=UTF-8 Hi guys, I do the following for session cookies: 1. When a user logs in I create a record in a sessionDB that includes their userID, the time in seconds since epoch, and a unique sessionID using [cart] 2. I set the sessionID as a cookie 3. Each site has a default timeout - usually 30mins, each time a user refreshes a page I reset the time in the session db 4. If the user is inactive for over 30mins then they are kicked out at the next attempt to access a page and the record in the sessionDB is deleted 5. I run an hourly trigger that deletes any records in the sessionDB where the time is over 30mins old I use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in this context. Finally one thing I don't do is check the clients IP, I found that some users accessing the net from within large corporations (i.e Microsoft) accessed the site using different IPs even within the same session. I assume this must be a security feature on the Microsoft end. Take care - Tom --00c09ffb525311a5960476e6264e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi guys,

I do the following for session cookies:

1. When a user logs in I create a record in a sessionDB t= hat includes their userID, the time in seconds since epoch, and a unique se= ssionID using [cart]

2. I set the sessionID as a cookie

=
3. Each site has a default timeout - usually 30mins, each time a user = refreshes a page I reset the time in the session db

4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet= ed

5. I run an hourly trigger that deletes any rec= ords in the sessionDB where the time is over 30mins old

I use this for admin pages on our CMS, so I do not use = persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.

Finally one th= ing I don't do is check the clients IP, I found that some users accessi= ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus= t be a security feature on the Microsoft end.

Take care
- Tom


=
--00c09ffb525311a5960476e6264e-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

RE: E-mailer error codes (1997) Getting total number of items ordered (1997) Interfacing WebMerchant to www.fedex.com (1997) multiple db's (2003) form data submission gets truncated (1997) RE: Automatic Forwarding using WebCat (1997) Weird Math and SV Bad News (1997) URL for Discussion Archive (1997) Just testing (2003) Grouping search fields, etc. (1997) Itools, WEBCAT OSX (2003) 2.0Beta Command Ref (can't find this instruction) (1997) web delivery (1997) EMailFolder (2007) Here's how to kill a Butler Database. (1997) WebCat2b13MacPlugIn - [include] doesn't allow creator (1997) Search for 20 finds 2000, 200 Why? (1997) [LOOKUP] (1997) [WebDNA] WebDNA 7 (2011) Country & Ship-to address & other fields ? (1997)