[LRUG] Authentication by cookie

Jim Myhrberg contact at jimeh.me
Mon Feb 7 04:37:48 PST 2011


What I used to do (before I started using auth_logic or device), was to have an auth_token column for each user, which contains a randomly generated value that's stored in the cookie along with the username or user ID. The auth_token would be regenerated whenever a user changed their password, or clicked a "log out everywhere" link.

Personally I felt this was a safer approach as it didn't expose the password hash or salt, despite the fact that hash *should* be safe to expose.


-jim



On Monday, February 7, 2011 at 12:30, Andrew Stewart wrote: 
> Hola El Rug,
> 
> I am wondering what I should store in a tamper-proof cookie to remember a user across browser sessions. All I want to store is the user's id, much like this (Rails 3):
> 
>  cookies.signed[:remember_me] = user.id
> 
> However every example I have seen stores the user's id and their salt/password-hash. I don't see, though, why we need the salt: the cookie is tamper-proof and the user's id isn't a secret.
> 
> According to this blog post it's so the cookie is invalidated when the user changes their password.
> 
> http://m.onkey.org/signed-and-permanent-cookies-in-rails-3
> 
> Again, though, I don't see why we would want to invalidate the cookie in this situation.
> 
> Usually when I find myself saying, "Everybody else is wrong, it's just me that's right," I carry on happily. However because this is authentication code I thought I should consult El Rug ;)
> 
> Thanks in advance,
> 
> Andy Stewart
> -------
> http://airbladesoftware.com
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20110207/607ec88b/attachment.html>


More information about the Chat mailing list