Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Alex Russell (alex_at_netWindows.org)
Date: Sun Aug 25 2002 - 14:14:24 CDT
I acutally just had this discussion not 2 days ago. I was designing an
LDAP-based authentication system, and I was using both a session ID and a
nonce (what you called a key) that changed with every request. His
observation is that if the nonce is tied to the user, the session ID on the
client side becomes superfluous. Sure, you could use one, but it doesn't
provide any more seucrity that just changing the nonce with every request.
> The value of the key should be
> updated with *every* request, and it's current value stored internally
> in the web server together with the session ID (and all other
> information associated with that session). As soon as you receive a
> valid session ID with an invalid key, you invalidate the session and
> request that the user reauthenticates.
-- Alex Russell alexSecurePipe.com alexnetWindows.org