|
Posted by Ellen Quaadgras on August 24, 2004, 9:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We are implementing a single signon solution that involves storing an
encrypted cookie with the user's username as an access token. We'd
like to make sure the cookie can't be used in a replay attack & so
plan to include the IP address in it as well.
2 Questions:
1. what is an accepted method of encryption for such a cookie? MD5?
Triple-DES? What are the issues to consider when selecting an
encryption algorithm?
2. is there an accepted standard of what to include in such a cookie?
Expiration time? Other things? We've seen the article at:
http://www.w3.org/Security/Faq/CLT-Q10, which talks about a MAC (MAC =
MD5("secret key " +
MD5("session ID" + "issue date" +
"expiration time" + "IP address" +
"secret key")
)
) -- is that the industry standard, given it's an article from w3? Is
there another?
Thanks!
| 
XML site map