Hey all,
Here's my problem:
Site verifies login offsite (3rd party social login) -> My site reads success & user_token then assigns cookie with new encrypted user_token using md5 then sha256.
Let's say a user logs in through someone's personal WiFi hotspot not knowing that it's a security threat. Can't this person just copy the plain text data and recreate the cookie to emulate that user on my site?
I do not want IP verification, it's too much of a hassle for users to manually specify every IP they are going to use. I know site-wide SSL would fix the packet sniffing issue, but that would cost site performance, so it's not an option.
Am I forced to create a temporary connection token/cookie that takes all the user environment variables into account (ip/user agent/OS/resolution) and cross-verifies? Is this even a solution?
Am I way off and missing something simple?
Here's my problem:
Site verifies login offsite (3rd party social login) -> My site reads success & user_token then assigns cookie with new encrypted user_token using md5 then sha256.
Let's say a user logs in through someone's personal WiFi hotspot not knowing that it's a security threat. Can't this person just copy the plain text data and recreate the cookie to emulate that user on my site?
I do not want IP verification, it's too much of a hassle for users to manually specify every IP they are going to use. I know site-wide SSL would fix the packet sniffing issue, but that would cost site performance, so it's not an option.
Am I forced to create a temporary connection token/cookie that takes all the user environment variables into account (ip/user agent/OS/resolution) and cross-verifies? Is this even a solution?
Am I way off and missing something simple?