Re: Re: Re: Cookie Security

[ellukicq () icqmail com]

If we don't consider the theory at the very first step, we are very likely to end up wasting our time. 
If the theory is proven to be sound, that is when you move on. 

So I wanted to confirm the fundamentals of proposed solution were ok. 

I assume from your response, the basic procedure seems to be reasonable? 
Now time for the practice... 



"How you gona create hash?" 
I had in my mind to implement md5 and 3des via JavaScript to deal with the operation. 
These are tried and tested algorithms. Both already implemented in a similar way for our authentication mechanism. 

"Would it be possible to predict it if I will have 10/20/50 other hashes" 
Using 3des should help to mitigate any cryptanalysis attacks. 

"...if I will have another data? 
in order to build the string, you would require the users password md5 hash (our PSK in this implementation). (not 
transmitted!). 

"Where you will store sessionID and this hash" 
The hash & sessionid would be stored in cookies, client side. 
Unless you are aware of an alternative location? 



"The bad thing is that HTTPOnly works only for Internet Explorer." 
Thats a real shame. Sounded so good. (Always the way!).