Feature #30378

Cookie authentication

Added by Adrian Föder over 2 years ago. Updated over 2 years ago.

Status:Closed Start date:2011-09-28
Priority:Could have Due date:
Assignee:- % Done:

0%

Category:Security
Target version:-
PHP Version: Complexity:
Has patch:No
Votes: 0

Description

It would be nice having a proof cookie authentication possibility on board. I did a bit of research and found the following blog entry:

http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb/

Briefly said, this idea sets a cookie of form

username + ':' + timestamp + ':' + HMAC(username + ':' + timestamp)

Whenever a request arrives having this cookie set and of course matching the hash, the user is considered authenticated.
The most interesting thing is that the cookie is re-set after e.g. 10 minutes, so that hijacking this cookie is limited to a time window of 10 minutes.
Vice versa this means that an expired timestamped cookie is disregarded.

As I need this functionality for my project, I would be delighted to write this; but I think I need some kind of mentor that takes me by the hands, even to discuss some things.

What do you mean?


Related issues

related to TYPO3.Flow - Feature #46063: Implement username password provider with "remember me" p... New 2013-03-06

History

Updated by Adrian Föder over 2 years ago

  • Assignee deleted (Adrian Föder)

Sorry, I completely missed the thing; what is described above is a kind of session login handling which FLOW3 supplies anyway.

Well, here I found another article that seems to be very interesting:
http://jaspan.com/improved_persistent_login_cookie_best_practice

Updated by Karsten Dambekalns over 2 years ago

  • Status changed from New to Closed
  • Has patch set to No

Also available in: Atom PDF