Mon, 30 Sep 2002 09:43:46 +0200
> Can you please enlighten me about the purpose of regularly changing
> Hcook and Lcook? Is it because you want to restrict the session
Sorry for coming back to this so late, but I have been traveling
too much in the past days.
The purpose of changing Hcook and Lcook is to only request authentication
when strictlly necessary and avoid unauthorized access by cookie copying.
If you just use a single non-persistent cookie, the user has to
re-authenticate whenever (s)he starts the browser. To
avoid this, Hcook is a persistent cookie. But then cookie copying may
grant access to several users at the same time.
There is a registry at the PoA of the active and valid Hcooks, associated
with a nonce that is included in the cookie itself. This way, if a user
copies the cookie to a second one, is not also providing acces rights to
this other user, but *transferring* them. So to say, the change of the
cookies make them unique access tokens (and they work behind proxies,
firewalls, NATs and all this kind of funny stuff).
"Esta vez no fallaremos, Doctor Infierno"
Diego R. Lopez
[log in para visualizar]
The Spanish NREN
Tel: +34 955 056 621
Mobile: +34 669 898 094