The key(s) can be a single key per day/week/month. The date of the
cookie generation can be included and the relevant key looked up.
The problem with MD5 is it's one way so I'd have to have either a search
and match algorithm, or a database of MD5ed text to user mappings. With
AES I can extract the user ID and a check that the password hasn't
changed from the cookie itself by decrypting the cookie data.
Al.
Lukasz Lenart wrote:
Hi,
2008/6/26 Al Sutton <[EMAIL PROTECTED]>:
I was thinking more along the lines of encrypting the userId and password
hash using AES, store the value in the cookie, then if the cookie is
available during another session decrypt, check everything matches, and let
them back in.
But you will have to store keys on the server side for future use,
maybe simple MD5 plus some arbittary text will be better?
http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
