The session key is a dynamic, encrypted password --
it changes from day to day (and from machine to machine), and
is encrypted for safe passage over the Internet. Use of a dynamic
password, while not as secure as SSL, does solve many of the access
problems associated with the standard ("basic") authentication methods
used by most (http/1.0) browsers. In particular, "man in the middle" attacks
(conducted by anyone who can monitor communications from you to a web site)
are significantly more difficult.
To return this dynamic, encrypted password to this server, you must be
using a cookie-capable browser that understands JavaScript; basically,
NetScape 2.0 and above.
http/1.1 browsers and servers support "digest" authentication, which also
entails the use of "dynamic, encrypted" passwords. As http/1.1 browsers become
more widely adopted, the need for 3rd party solutions (such as this
HTML/JavaScript/cookie approach) will disappear.
Implentation notes
The session-key
is based on a shared secret known to only the client and the server.
This need not
be the same as the "logon" password required to gain access to a server's
basic resource (the password entered in your browsers' username/password
authentication box). In fact, since a "logon" password is transmitted without
any encoding, good practice suggests that the shared secret
should never be used as a "logon" password.
Many sites will use a multi-step process:
A standard ("basic") logon, where you provide a username and a "logon" password
in the browsers authentication pop-up window.
A request for a session-key, at which point you enter the shared secret.
The server uses the username/password (from step 1) to lookup your shared
secret (alternatively, there may be a single shared secret for all clients requesting
a given resource).
This shared secret is used to verify the session-key.
The encryption method
The session key is computed using an MD5 hash of the following:
In particular: session_key=md5("IP-address_timestamp_Shared-secret")top