On 2/28/2013 11:17 PM, Chris Wong wrote:
On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont<corentin.dup...@gmail.com>
>wrote:
>>Hi Chris,
>>Thanks!
>>That's true for the user number. What should I do? Encrypt it?
>
>It's not that you have a user number, or even that it's accessible: it's
>that it's the entirety of access control, meaning that if the user changes
>it they can masquerade as another user. The correct solution is that a user
>should authenticate, which creates a session hash that you stash away and
>also send back to the user as a cookie so the browser will present it on
>accesses. Then you check that the presented hash is there and matches the
>session hash. These should expire periodically, requiring the user to log
>back in again.
Additionally, you can change the session hash with every page hit, to
some other totally random hash. If someone steals your session, they had
better act on it immediately, lest you visit another page and it changes
completely. If your session gets hijacked, you get logged out. When you
log in again the attacker loses access.
You can also check sessions by the hash and IP address. That has
usability concerns though. Even if players never switch machines in the
middle of a game, suppose you are playing on a cell phone and your train
goes through a tunnel. When you reconnect, your provider gives you a
different IP and you are logged out.
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
