I'm currently researching user authentication protocols for a website I'm developing. I would like to create an authentication cookie so users can stay logged in between pages. Here is my first bash: cookie = user_id|expiry_date|HMAC(user_id|expiry_date, k) Where k is HMAC(user_id|expiry_date, sk) and sk is a 256 bit key only known ...
I created a controller to serve dynamic stylesheets, so I can use the image_tag helper and add some cache control. The problem is that every time the css file is loaded at the browser, I can see 'Cookie xxx changed" message in firebug. I would like to disable or bypass session cookies for this controller. I read somewhere that using ...
I've created a login on my website using forms authentication, I do not understand why after creating the ticket and adding it to the cookies if I check for HttpContext.Current.Request.IsAuthenticated i get false. Only on the successive request the user become authenticated this is my code var fat = new FormsAuthenticationTicket( ...
I found two functions to get cookie data with Javascript, one on w3schools.com and one on quirksmode.org I would like to know which one I should use? For example I believe I read somewhere that there was a problem with some browsers splitting the ; semicolon? w3schools: function getCookie(c_name) { if (document.cookie.length > 0) ...
OAuth like google OAuth. Let's put the communication between Consumer server and OAuth server aside. Let's talk about the browser side and consumer server communication, at least, browser must hold a cookie to identify the session between consumer server. Right? But, I didn't see it. ...
I use an IOC container which provides me with IService. In the case where IService is a WCF service it is provided by a channel factory When IService lives on the same machine it is able to access the same cookies and so no problem however once a WCF Service is called it needs to be sent those cookies. I've spent a lot of time trying to...
I am slowly moving my (unreleased) CMS from $_SESSION to $_COOKIE. Content on the internet seems to be biased more towards $_SESSION (I assume because ease of use). I am looking for security tips on saving cookies. Currently, I am storing (somewhat similar WordPress) a cookie in the format: 'logged_in_%hash_key%' => "username | %hash_p...
Hello all i have 2 domains e.g. test1.com and test2.com and i need user login cross at this 2 domains. both domains run on same server, i hobe for help, :) ...
Hi, I have an ASP:NET MVC 2 web site that is on SSL. I want to create a cookie like this: FormsAuthentication.SetAuthCookie(validatedUser.UserName, false); FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, validatedUser.SecureToken, DateTime.Now, DateTime.Now.AddMinutes(10), false, String.Empty); HttpCookie coo...
well, my question is simple, is a cookie secure in a HTTPS conection? ...
This is probably more simple than I'm making it but I just can't figure out how to do it. What I've got are tabbed sections created in Coldfusion. The output is that the selected section has a class name that contains the string "tab_selected (+ the UUID created in coldfusion)" versus the unselected tab sections whose class names contain...
Hi, For years I suffered from a question of what is the name of creature, that looks like a cookie, and located at git homepage header logo. And are there any pictures of same creature? :) ...
Hello all, I need help in following:) To begin with I work on the large application, that has a WinForms client and server. Server in our case is the set of WCF services. There is one service that is responsible for authentication of users. The logic of authentication is custom and complex and authentication service uses different memb...
Regarding this security issue: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/ Is it true to say "any time a user logs into a site, and isn't redirected to SSL/TLS/HTTPS connection, that the session cookies are vulnerable"? What is the best solution to protect a Fac...
I have a bit of Perl CGI code which I'm trying to run in the project web space of a SourceForge account. The code is able to set a browser cookie just fine when talking to IE, but the cookie is not set when talking to Firefox. When I test with Apache on "localhost", both browsers work fine. It's only on the remote SourceForge URL that...
I wan't developers who embed my webapp to be able to pass a param in the url like ?style=dark which will alter the css accordingly. Is there a better way to keep this setting as the user navigates than appending ?style=dark to all links? I've considered cookies etc. but if one user is viewing two pages which embed my app with different ...
I'm using LIVE HTTP headers to sniff the HTML traffic and to mimic it using curl. The page I'm trying to get is a .jsp and I noticed that some data has been added to the cookie. I'm using the cookie I retrieved when log in to the site. This is the link: https://direct.orange.co.il/selfservice/info/notLoggedUser/notLoggedIn.jsp?loginTo...
Hi, We've got a rails 2.3.10 application running with restful authentication. We have a user who is running Windows XP and Firefox 3.6 / IE9. The user can't seem to get the session cookie (_app_session) to save on the local machine even through the set cookie header includes the _app_session cookie (verified in firebug). Other users, in...
Hi, I want in Session_Start method check if cookie with specific key exists and if not create cookie with this key. if (Request.Cookies[key] == null) { SetCookie(); } But in Session_Start it is always NULL. If check it in another place I get cookie's value. Why is it always NULL in Session_Start? Thanks, Raya ...
Hi, I have this: [WebMethod] public static void SetTheme(string theme) { Guid studentIdentifier = SessionData.LoggedInUser.Identifier; Student student = (Student)ItemFactory.GetItem(studentIdentifier); student.Theme = theme; } And I want to change the cookie that is also named "theme", at the end of this WebMethod. Ho...