Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
vvsh2011-02-06 03:35:20
Computer networks
vvsh, 2011-02-06 03:35:20

secure authorization without IP

good night.
note: authorization is needed without taking into account ip (twitter, facebook example, as far as I know, it does not throw it out when changing ip)
after re-reading several articles, I could not find a way out.
authorization:
there are several ways
method 1:
the user enters a login and password, the password is hashed on the client side, sent to the server, the data is checked, if everything is OK, a random value is generated, hashed, or even not random, but the session ID and written to the session.
method 2:
when generating the form, a random value is generated and written to hidden and into the database, the user enters the login and password again, the password is hashed, then hashed along with the additional value and sent to the server, it is checked and the value is written to the cookie again.

now the function to remember my data on this computer.
here problems begin, if you act in those two ways and check the values ​​\u200b\u200bwhen the user opens the site (compare the cookie with the base), then you can steal the cookie and log in. What is the way out?
Thank you

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
P
petrovi4, 2011-02-06
@petrovi4

Oh, it seems to me you are inventing another bicycle.
When logging in, send your login and password to the server (use https so that there is no interception), form a sessionId and let the user navigate your pages / request services with this Id.

Report
V
Vladimir Chernyshev, 2011-02-06
@VolCh

Hashing various browser headers (user agent, accept *, etc.) is a small safety net, but still better than nothing.

Report
S
sajgak, 2011-02-06
@sajgak

here, in principle, not a bad option is described in the sandbox

Report
S
splatt, 2011-02-06
@splatt

If you do not check ip, there is always a chance that cookies will be stolen. The only way out is 100% SSL and be 100% sure that there is no XSS on the site.
I would advise, as already mentioned above, to do an IP check at the request of the user.

Report
A
Anatoly, 2011-02-06
@taliban

javascript.ru/unsorted/id

Report
S
Sergey, 2011-02-06
@seriyPS

There is an option to keep an IP-independent cookie on one domain, dependent on IP on another main one. In the case of a change of IP, the user must do cross-domain authorization. Vkontakiy so do. How to implement, see, for example, the report by Ilya Kantor addconf.ru/event.sdf/ru/add_2010/authors/136/174

Similar questions
P
pavel76312016-02-28 13:53:21
What program can be used to find out the IP address of the server broadcasting the flv video file in the browser window? 2Reply
T
TyLo2018-07-19 02:44:39
How to test protocols for vulnerabilities? 2Reply
L
leha782016-02-29 20:02:36
Where can I get construction calculator formulas? 1Reply
D
dskiselev2013-11-20 16:00:41
How to start downloading skills in the back-end? 3Reply
A
allbest2013-11-20 18:34:47
Java. Examples of creating projects 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question