[LRUG] Authentication by cookie
Jim Myhrberg
contact at jimeh.me
Mon Feb 7 04:37:48 PST 2011
What I used to do (before I started using auth_logic or device), was to have an auth_token column for each user, which contains a randomly generated value that's stored in the cookie along with the username or user ID. The auth_token would be regenerated whenever a user changed their password, or clicked a "log out everywhere" link.
Personally I felt this was a safer approach as it didn't expose the password hash or salt, despite the fact that hash *should* be safe to expose.
-jim
On Monday, February 7, 2011 at 12:30, Andrew Stewart wrote:
> Hola El Rug,
>
> I am wondering what I should store in a tamper-proof cookie to remember a user across browser sessions. All I want to store is the user's id, much like this (Rails 3):
>
> cookies.signed[:remember_me] = user.id
>
> However every example I have seen stores the user's id and their salt/password-hash. I don't see, though, why we need the salt: the cookie is tamper-proof and the user's id isn't a secret.
>
> According to this blog post it's so the cookie is invalidated when the user changes their password.
>
> http://m.onkey.org/signed-and-permanent-cookies-in-rails-3
>
> Again, though, I don't see why we would want to invalidate the cookie in this situation.
>
> Usually when I find myself saying, "Everybody else is wrong, it's just me that's right," I carry on happily. However because this is authentication code I thought I should consult El Rug ;)
>
> Thanks in advance,
>
> Andy Stewart
> -------
> http://airbladesoftware.com
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20110207/607ec88b/attachment-0003.html>
More information about the Chat
mailing list