Best practices for Stateless cookie authentication using nonce [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 9 years ago.

I've been reading about using cookie for authentication. This seems challenging, because cookie could be stolen from browser cache or intercepted in HTTP message.

I've come to the idea of using nonce for that. I like it because of somebody steal it, he'll lose access as soon as real user tries to access the WebApp again. And to keep stealing it he'll have to be kinda close to the user.

But I'm unable to find a proper algorithm for it. Wordpress nonce implementation uses user_id for it, and it's authentication cookie generator is kinda complex (I will keep reading it, but I wanted something simpler to implement).

These are the constraints I'm forced to use:

• it should not require writing it on DB or HD, because it's not worth that complexity
• it cannot use Session, it must be Stateless on the meaning that server must not save any kind of data, all data (login and nonce) must be sent to client via cookie and he must send that cookie data back
• it's ok to add login in the cookie, something like "login|nonce", therefore when I receive the cookie I can substring it for login and nonce and verify it
• it must be implemented in PHP and Java Servlet! if it uses a core function of either of them, I must implement that function on the other or find a replacement, but they don't need to be interchangeable
• it's a nonce, so for every HTTP response I generate a new nonce, that will be valid only once and then become invalid if tried to be used again
• it would be nice if a nonce could be used only on right next request, but I think that would require to store this nonce somewhere and retrieve it for comparison, I still think that breaking Stateless isn't worth it, so I think a time limit could be enough (time limit means using time() / ( $nonce_life / 2 ) as one of nonce's parameters, so it can be used only during that time

The idea is to have a Stateless, cookie-only, way of knowing who's logged in. $nonce_life can be 1 day, therefore the user logs in during first day access and stay logged in until day ends.

As I can see in Wordpress, there's not really a way of knowing a nonce is used only once, all verification it does is if it's being used during its lifetime. Therefore, if $nonce_life is 1 day, a Wordpress nonce could be used unlimitless during that day. I think that's risky, maybe it should be better to store nonce on HD files, breake Stateless, but assure a nonce is used only once. I could use a simple rand() to create it.

Answer 1

I finally understood Wordpress _auth_cookie(), I was missing the old PHP extract() and explode(). Its cookie value holds $cookie = $user->user_login . '|' . $expiration . '|' . $hash; and $hash holds a lot of info like login, password and expiration time.

As I wanted to do with "login|nonce", but it adds expiration to it.