Atozed Forums
How to generate a more unique cookie - Printable Version

+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: How to generate a more unique cookie (/thread-1393.html)



How to generate a more unique cookie - ALW2019 - 11-21-2019

Running IntraWeb 14.2.8 with Delphi 10.1.

We have the requirement to destroy the original cookie that was generated prior to authentication, and generate a new cookie after authentication.  The genrated post-authentication cookie is different, however the difference is negligible, only the last character is changed (for example from ‘3’ to ‘8’).  Each new cookie should be randomly generated so that values cannot be predicted.

In ServerController, CookieOptions are HttpOnly(true), SessionCookies(true) and UseCookies(true).

Is there a way in IntraWeb 14.2.8 to adjust the method used, to generate a more secure/unique cookie after authentication?

Thank you.


RE: How to generate a more unique cookie - rlebeau - 11-22-2019

This should be asked in the IntraWeb forum instead.


RE: How to generate a more unique cookie - Alexandre Machado - 12-06-2019

the cookie generated by Intraweb is for session control. It is not related to user authentication (a session can exist without an authenticated user).

IntraWeb allows you to change the session ID after some event (e.g. user authentication). Will this satisfy your requirements? But the cookie is still linked to the session (i.e. it is a session cookie not a user cookie).


RE: How to generate a more unique cookie - ALW2019 - 12-13-2019

Hi Alexandre,
A new session ID and a new session cookie generated after authentication would satisfy our requirements. This would also require destruction of the initial ID and cookie after authentication. How would I go about doing this in IntraWeb 14?