0

I read following paragraph in this answer:

  1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).

Please focus on this part:

A new token is generated

Well why should I generate (and update it into database) a new token? Actually I don't understand why should I change the cookie's value when the user is considered authenticated?

Community
  • 1
  • 1
stack
  • 10,280
  • 19
  • 65
  • 117
  • 1
    Taking a guess here, so only a comment: if you keep changing the token, it's basically saying "ok, you're authed for this request. For the next one, use this code so I know it's still you". If you keep the same token for the entire session, it could be intercepted or hijacked. – Niet the Dark Absol Jun 27 '16 at 18:07
  • @NiettheDarkAbsol Well every time the user closes and opens a new window, I need to update that cookie? – stack Jun 27 '16 at 18:10
  • 1
    That's where a downside comes in. If the user so much as hits the Back button, it could break the link and force them to log out. For banks that's ok because security is more important than anything, but for everyday applications it would be extremely annoying. – Niet the Dark Absol Jun 27 '16 at 18:14
  • I think it's kind of like sites that force you to change your password periodically: if someone manages to get the cookie, it will not be useful after the next time you login. – Barmar Jun 27 '16 at 18:22
  • @Barmar I see, so you are agree with doing that, right? – stack Jun 27 '16 at 18:23
  • Seems reasonable. Note that you're only doing this when they start a new session, not every page they access within the session. – Barmar Jun 27 '16 at 18:24
  • @Barmar Yeah I know .. Just there is a problem, if somebody else *(the thief)* hijacks that cookie and use it, then that cookie will be expire for the original person. – stack Jun 27 '16 at 18:28
  • 2
    What's the problem with that? It's like if someone steals your password, the site should force you to change it. – Barmar Jun 27 '16 at 18:33

0 Answers0