0

so basically I am trying to log user in with a cookie and do not query DB to improve performance

here is a brief idea:

  1. transmit everything via SSL
  2. set a Global secret key A and secret key B
  3. generate a random verification string on registration and password change
  4. encrypt the verification string with A, store it in cookie
  5. encrypt the verification string with B, store it in cookie
  6. when user tries to login, I decrypt each string with A and B, compare if they match

I am wondering if it is a good idea if it is:

how can I actually do the encryption in Java, using bouncycastle ASE-256, Digest or whatever?

how much does this encryption/decryption process affect the performance, when compared with authentication by storing a session variable in a super fast DB like Redis

if it is not: what should I do..

Matthew Yang
  • 605
  • 1
  • 13
  • 23

1 Answers1

2

You can simply encrypt a known value together with the authentication data, when you decrypt verify that the data is present in the authentication token (the cookie). No need to use two keys.

The speed difference with a database depends on the database configuration as well as the cryptography that is performed. I would rather opt for a proven scheme first and only invent your ownif performance leaves you no other choice.

Schemes as better verified on http://security.stackexchange.com.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263