UNIVERSITY of VIRGINIA
Computer Science
Research  Teaching  People  Community   

Search
Directory
Contact Us
 
Undergrads • Grad Students • Faculty • Staff • Alumni • Locator • Phones

A Cookie Authentication System for Colloquia Updates

The use of this cookie authentication system is aimed to save users the hassle of login every time to the site when the user is working at a consistent working location, while provides sufficient security for authorized usages.

System/Cookie Logic

The following description applies to all files associate with updating the colloquia. They are currently listed under the directory colloquia/test. No files can be accessed from the web without a valid cookie or a valid login.

User access the following link: http://www.cs.virginia.edu/colloquia/update to enter new colloquia. It directs user to https://www.cs.virginia.edu/colloquia/test/testlogin.php. The pages use SSL secure transaction and therefore, the URL is shown as https. The logic is described below:

First, we check to see whether a cookie existed in the computer. If not, we print out the login page: user needs to enter username and password. We then ran a query through the database to see if the username exists. If the username exists, we encrypt the password which the user entered and compare that with the encrypted version of the password in the database. If it matches, the user is logged in. A cookie is saved onto the user's hard drive with the encrypted username, a random generated sequence number, and an encrypted network IP. If the two passwords do not match, the user sees an error message and is directed back to the login page.

If a cookie exists, we will validate the cookie. To do so, we first get the user's network IP, encrypt it and check it with the encrypted IP stored on the cookie. Then we check the user's username by running a query through the database. Lastly, we need to check the sequence number. The sequence number defines the key for encryption.

If all three matches, the user is logged in. The old cookie is deleted and a new cookie is saved onto user's hard drive. The sequence number on the database is again randomly generated and saved to the database and written on the cookie. If there is any mismatch among the three comparisons, a specific error message will be displayed, the existing invalid cookie will be deleted, and the user will be directed back to the login page.

Page Design

Users are either logged in by submitting username and password or via a valid cookie. Users are categorized as a regular user or an administrator. A regular user has the permission to enter new colloquia. An administrator has the permission to add new colloquia or add a new user by providing an email address. Users can chose to logout at any time and thus delete the cookie. This functionality is especially useful when working at a public workstation.

A new user will receive an email with a one-time use link to sign up an account. No username or email can be duplicated in the database. An error message will alert users when this happens. When user forgets the password, he/she may supply the username or email and receive an email with a one-time use link to reset the password.

After submitting a new colloquia, individual HTML will be generated for the colloquia and user will be directed back to enter new colloquia. The htmls automatically generated from a colloquia update are the individual page of the colloquia, colloquia list sort by date, speaker, MS thesis, MS projects, PhD defenses, and PhD proposals. In addition, a script is called to find the last name of the speaker for sorting purpose. These pages are automatically called when a new colloquia is entered. An alert email will also be send to webteam@cs.virginia.edu for new event logged.

Cookie Contents

  • Username from a successful login in encrypted form
  • IP address from the last visit in encrypted form
  • Random generated sequence number in encrypted form
  • Attacks Prevention

  • Password Protection:
  • Password is stored in encrypted form in DB to prevent information leaking in the event that someone breaks into the DB. Passwords are always in encrypted form.

  • Cookie Protection:
  • All sensitive information stored in cookie is encrypted. A one-way encryption is used.

  • Cookie Stealing:
  • Network IP address is encrypted and stored in the cookie. When user is trying to login using the cookie, an identical IP address is needed.

  • IP Spoofing:
  • In the case that the attacker is able to spoof the IP which was encrypted in the cookie, a sequence number is used to prevent the damage. When the user is logged in by entering username and password, a random generated sequence number is saved onto the DB and stored in the cookie. When the user logs back using cookie and successfully authenticated him/her, a new sequence number is then regenerated by using the random function and saved in DB. A new random sequence number is used every time for encrypting the username and IP. When a cookie is used, it is being deleted immediately and a new cookie is needed to log in. A cookie can only be used once and then being deleted. A new cookie will be generated for authorized users.

    Potential Problems

    This system does not prevent attackers that gain control over an authorized user's computer. Also, the system is vulnerable if the attacker is able to steal the cookie and spoof the IP while able to use it before the cookie expires and before the authorized user's next visit.



    UVa CS Department of Computer Science
    School of Engineering, University of Virginia
    151 Engineer's Way, P.O. Box 400740
    Charlottesville, Virginia 22904-4740

    (434) 982-2200  Fax: (434) 982-2214
    Web Comments: webteam@cs.virginia.edu
    Admissions Inquiries: inquiry@cs.virginia.edu
    Site directory, Other addresses
    Server statistics
    © Created by the CS Web Team