secure authentication excluding the IP

0 like 0 dislike
7 views
good night.
note: requires excluding IP (twitter, facebook example, as far as I know there is not eject when you change IP)
after reading a few articles I could not find a way out.
authorization:
there are several ways
method 1:
the user enters the username and password, the password is hashed on the client side, is sent to the server, verifies the data, if everything is OK generated random value is hashed, or even random and session ID and is written to the session.
method 2:
when you generate a shape generated random value is written to hidden in the database, the user again enters the username and password, the password is hashed, then hashed together with additional value and sent to the server is checked again and there is written the value in the cookie.

now the function remember me on this computer.
here the problems begin, if you do those two methods and to check when opening a user of the site values (to compare the cookie with the base) it is possible to steal the cookie and log in. How to come up with a solution?
thank you
by | 7 views

6 Answers

0 like 0 dislike
Oh, it seems to me once you reinvent the wheel.
Login send username and password to the server (use https to avoid interception), sessionId match and let the user walks by your pages/requests services from that Id.
by
0 like 0 dislike
Hash of various browser headers (user agent, accept *, etc.) — a small safety net, but still better than nothing.
by
0 like 0 dislike
that's basically described is not a bad option in the sandbox
by
0 like 0 dislike
If you do not do the ip check, there is always the chance that steal cookies. The only way — SSL and wholly to be 100% sure that the site is no XSS.
I would suggest, as already mentioned above, to do IP checking by the user.
by
0 like 0 dislike
by
0 like 0 dislike
There is an option independent of the IP to keep the cookie on the same domain-dependent IP on the other the main. If you change the IP from the user to do crossdomain authorization. Vkontake do. How to implement see, for example, the report of Ilya Cantor addconf.ru/event.sdf/ru/add_2010/authors/136/174
by
110,608 questions
257,186 answers
0 comments
28,716 users