Re: [WebDNA] Secure Cookies
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 103891
interpreted = N
texte = --00c09ffb525311a5960476e6264eContent-Type: text/plain; charset=UTF-8Hi guys,I do the following for session cookies:1. When a user logs in I create a record in a sessionDB that includes theiruserID, the time in seconds since epoch, and a unique sessionID using [cart]2. I set the sessionID as a cookie3. Each site has a default timeout - usually 30mins, each time a userrefreshes a page I reset the time in the session db4. If the user is inactive for over 30mins then they are kicked out at thenext attempt to access a page and the record in the sessionDB is deleted5. I run an hourly trigger that deletes any records in the sessionDB wherethe time is over 30mins oldI use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in thiscontext.Finally one thing I don't do is check the clients IP, I found that someusers accessing the net from within large corporations (i.e Microsoft)accessed the site using different IPs even within the same session. Iassume this must be a security feature on the Microsoft end.Take care- Tom--00c09ffb525311a5960476e6264eContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableHi guys,
I do the following for session cookies:
1. When a user logs in I create a record in a sessionDB t=hat includes their userID, the time in seconds since epoch, and a unique se=ssionID using [cart]
2. I set the sessionID as a cookie
=3. Each site has a default timeout - usually 30mins, each time a user =refreshes a page I reset the time in the session db
4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet=ed
5. I run an hourly trigger that deletes any rec=ords in the sessionDB where the time is over 30mins old
I use this for admin pages on our CMS, so I do not use =persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.
Finally one th=ing I don't do is check the clients IP, I found that some users accessi=ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus=t be a security feature on the Microsoft end.
Take care
- Tom
=
--00c09ffb525311a5960476e6264e--
Associated Messages, from the most recent to the oldest:
--00c09ffb525311a5960476e6264eContent-Type: text/plain; charset=UTF-8Hi guys,I do the following for session cookies:1. When a user logs in I create a record in a sessionDB that includes theiruserID, the time in seconds since epoch, and a unique sessionID using [cart]2. I set the sessionID as a cookie3. Each site has a default timeout - usually 30mins, each time a userrefreshes a page I reset the time in the session db4. If the user is inactive for over 30mins then they are kicked out at thenext attempt to access a page and the record in the sessionDB is deleted5. I run an hourly trigger that deletes any records in the sessionDB wherethe time is over 30mins oldI use this for admin pages on our CMS, so I do not use persistent cookies. I can't see how encrypting the session cookie improves security in thiscontext.Finally one thing I don't do is check the clients IP, I found that someusers accessing the net from within large corporations (i.e Microsoft)accessed the site using different IPs even within the same session. Iassume this must be a security feature on the Microsoft end.Take care- Tom--00c09ffb525311a5960476e6264eContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableHi guys,
I do the following for session cookies:
1. When a user logs in I create a record in a sessionDB t=hat includes their userID, the time in seconds since epoch, and a unique se=ssionID using
[cart]
2. I set the sessionID as a cookie
=3. Each site has a default timeout - usually 30mins, each time a user =refreshes a page I reset the time in the session db
4. If the user is inactive for over 30mins then they are kicked out at= the next attempt to access a page and the record in the sessionDB is delet=ed
5. I run an hourly trigger that deletes any rec=ords in the sessionDB where the time is over 30mins old
I use this for admin pages on our CMS, so I do not use =persistent cookies. =C2=A0I can't see how encrypting the session cookie= improves security in this context.
Finally one th=ing I don't do is check the clients IP, I found that some users accessi=ng the net from within large corporations (i.e Microsoft) accessed the site= using different IPs even within the same session. =C2=A0 I assume this mus=t be a security feature on the Microsoft end.
Take care
- Tom
=
--00c09ffb525311a5960476e6264e--
Tom Duke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Help! WebCat2 bug (1997)
Encrypt/decrypt bug in 3.0.5b12 (1999)
[WebDNA] =?windows-1252?Q?=5Bthisurlplusget=5D_and_the_correct_use_of_it?= (2013)
Help name our technology! (1997)
Help! WebCat2 bug (1997)
WebCat2 several catalogs? (1997)
Dynamic Pop Up Menus with Record Value Selected (1998)
Double Spacing in Mails from Sendmail (2002)
Hiding HTML and breaking the page (1997)
WebDNA Writer Needed (1997)
Getting total number of items ordered (1997)
2 HTTP Servers on one machine (2006)
[WebDNA] Error 500 with SUMM=T (2017)
how do I delete 1 of 2 identical records? (2003)
Math variable size-dumb question (1999)
searches with dash, period etc. (back form politeness) (2000)
Wierd display error.... (2004)
Change [cart] date (2002)
error: Too many nested [xxx] contexts (1997)
WebCat2b15MacPlugIn - [authenticate] not [protect] (1997)