The authentication / authorization systems I wrote while working in
PHP-land involved a unique MD5 hash being sent as the cookie, and local
data (on disk using PHP's sessions or MySQL using home-grown) being
looked up and verified against the MD5, user's IP, browser
identification string (or hash of several different browser-sent
headers - accepted language, etc.). This was the most secure method I
could think of - taking the information out of the hands of the
browser.
In my world, the secret token is the only thing being passed around -
it is used as a bySecretToken lookup on a session before other tests
are performed to confirm identity. A la:
import md5
class Session(SQLObject):
secretToken = StringCol(length=48, alternateID=True, title="MD5/SHA
Hash")
user = ForeignKey('User')
ip = Stringcol(length=16)
browserHash = StringCol(length=48)
def validate(self, request):
test = md5.new()
test.update(request.headerMap['REMOTE_HOST'])
test.update(request.headerMap['REMOTE_ADDR'])
test.update(request.headerMap['SERVER_ADDR'])
test.update(request.headerMap['ACCEPT_ENCODING'])
test.update(request.headerMap['HTTP_USER_AGENT'])
return test.hexdigest() == self.browserHash
Or something similar, +/- a little paranoia. ;D
