Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
MGriboedoff2015-06-10 11:04:59
HTTP Cookies
MGriboedoff, 2015-06-10 11:04:59

Cookies, how often should they be updated?

In general, I write a framework for learning purposes.
I will describe the implementation of authorization / registration, etc., which I have:
1) The user went to the site, he was given a cookie, if he does not have one either.
2) Further, if the user needs access to some functions that require registration, he drives an e-mail, registers it, the password flies to the email. The user is authorized for an hour.
3) An hour passes, you need to maintain a password .. (I plan to change it to user inactivity during the time set by him).
And now the question. The hash of the cookie does not change throughout the life of the user (yet). It's not safe in my opinion...
In general, there was an idea to change the hash cookies. Nothing prevents changing it with each user request: check if its hash is correct, if it is correct, change it to a new one. And on the next call, do the same, and so on.
With this option, interception of cookies is practically impossible, and the user will immediately notice ... that he is thrown out with a hash error. But is it worth it? There is a problem that the user will be able to work in parallel from only one device ... Well, or at most from different IP addresses. And if he comes from a mobile phone and from a computer from a home network ... then the algorithm becomes even more complicated.
Who would do what?
The point is to protect against unauthorized access.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Alexander Lalikin, 2015-06-10
@Lalikin

The problem of multiple devices is solved by creating hashes for each device. Those. the cookie hash is not stored in a table with users, but in a separate table. One user can have multiple hashes. In the same place we add User-agent. IP can change even within the same provider with different connections, asking for a password in this situation is not at all logical. But if there is a question about exiting after an hour of inactivity, then you can add IP. The proposed method will allow you to change the hash with each request, if you wish.

Similar questions
S
Sidxkick2018-06-29 20:55:34
Problem with switching to https, how to solve? 2Reply
N
Nikita Podosenov2020-07-02 18:31:16
Why are cookies different on different pages of the same site? 1Reply
M
Mitya Kolesnikov2013-10-25 14:46:39
Checking for cookies from a third party domain 3Reply
L
Lucius Mooning2018-07-19 13:19:25
How to automate the following sequence of actions? 1Reply
F
Frel2018-07-20 09:50:14
How can I make the video play only once? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question