PAPI Archivos

The PAPI authentication and authorization framework


Opciones: Vista Clásica

Use Monospaced Font
Mostrar las partes HTML
Esconda cabeceras de correo

Tema: [<< Primero] [< Prev] [Siguiente >] [Último >>]

Print Responder
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 30 Sep 2002 09:43:46 +0200
Content-Transfer-Encoding: 8bit
In-Reply-To: Message from Sassa <[log in para visualizar]> of "Fri, 20 Sep 2002 16:24:46 BST." <[log in para visualizar]>
Message-Id: <1058334287.1050.335.camel@incal>
Parts/Attachments: text/plain (36 lines)
> Can you please enlighten me about the purpose of regularly changing
> Hcook and Lcook? Is it because you want to restrict the session
> length? 

Sorry for coming back to this so late, but I have been traveling
too much in the past days.

The purpose of changing Hcook and Lcook is to only request authentication
when strictlly necessary and avoid unauthorized access by cookie copying.
If you just use a single non-persistent cookie, the user has to
re-authenticate whenever (s)he starts the browser. To
avoid this, Hcook is a persistent cookie. But then cookie copying may
grant access to several users at the same time.

There is a registry at the PoA of the active and valid Hcooks, associated
with a nonce that is included in the cookie itself. This way, if a user
copies the cookie to a second one, is not also providing acces rights to
this other user, but *transferring* them. So to say, the change of the 
cookies make them unique access tokens (and they work behind proxies,
firewalls, NATs and all this kind of funny stuff).

Best regards,

"Esta vez no fallaremos, Doctor Infierno"

Diego R. Lopez
[log in para visualizar]

The Spanish NREN
Tel:    +34 955 056 621
Mobile: +34 669 898 094