struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Sutton <al.sut...@alsutton.com>
Subject Re: [s2] Whats the most strutsy way of doing....
Date Thu, 26 Jun 2008 14:53:19 GMT
The key(s) can be a single key per day/week/month. The date of the 
cookie generation can be included and the relevant key looked up.

The problem with MD5 is it's one way so I'd have to have either a search 
and match algorithm, or a database of MD5ed text to user mappings. With 
AES I can extract the user ID and a check that the password hasn't 
changed from the cookie itself by decrypting the cookie data.

Al.

Lukasz Lenart wrote:
> Hi,
>
> 2008/6/26 Al Sutton <al.sutton@alsutton.com>:
>   
>> I was thinking more along the lines of encrypting the userId and password
>> hash using AES, store the value in the cookie, then if the cookie is
>> available during another session decrypt, check everything matches, and let
>> them back in.
>>     
>
> But you will have to store keys on the server side for future use,
> maybe simple MD5 plus some arbittary text will be better?
> http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html
>
>
> Regards
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message