Feature #30378

Cookie authentication

Added by Adrian Föder about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Could have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2011-09-28
Due date:
% Done:

0%

PHP Version:
Has patch:
No
Complexity:

Description

It would be nice having a proof cookie authentication possibility on board. I did a bit of research and found the following blog entry:

http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb/

Briefly said, this idea sets a cookie of form

username + ':' + timestamp + ':' + HMAC(username + ':' + timestamp)

Whenever a request arrives having this cookie set and of course matching the hash, the user is considered authenticated.
The most interesting thing is that the cookie is re-set after e.g. 10 minutes, so that hijacking this cookie is limited to a time window of 10 minutes.
Vice versa this means that an expired timestamped cookie is disregarded.

As I need this functionality for my project, I would be delighted to write this; but I think I need some kind of mentor that takes me by the hands, even to discuss some things.

What do you mean?


Related issues

Related to TYPO3.Flow - Feature #46063: Implement username password provider with "remember me" persistent cookie New 2013-03-06
Related to TYPO3.Flow - Feature #56744: stay logged in New 2014-03-11

History

#1 Updated by Adrian Föder about 6 years ago

  • Assignee deleted (Adrian Föder)

Sorry, I completely missed the thing; what is described above is a kind of session login handling which FLOW3 supplies anyway.

Well, here I found another article that seems to be very interesting:
http://jaspan.com/improved_persistent_login_cookie_best_practice

#2 Updated by Karsten Dambekalns almost 6 years ago

  • Status changed from New to Closed
  • Has patch set to No

Also available in: Atom PDF