Cookies in Tapir User Manager
Tapir User Manager assigns up to three cookies in visitor's web browsers.(1) tracking cookie
The tracking cookie is generated by Apache's
mod_usertrack and
therefore, is generated and recorded for all pages on the server, even if they
do not use the Tapir_Auth object. The tracking cookie is recorded in
the Apache server log (see *) and is recorded in TUM's database whenever an auditable
event happens.
The tracking cookie currently has the following format: (this could change in a future version of Apache)
[host ip_address].[server pid][request time (UNIX format)][millisecond time]For example:
64.20.200.108.16049965444414570The tracking cookie M4_SERVER_NAME
(2) session cookie
When the user logs in, we create a session cookie. The session cookie has the following format,
$session_id:$user_id:$ip_address:$issued_at:$hashwhere
$hash=md5("$session_id:$user_id:$ip_address:$issued_at:$SESSION_HASH")
where $SESSION_HASH is site-dependent. This is a simple kind of
digital signature that protects the session keys from tampering. Unlike
giving each session a unique token, we don`t need to hit the database
(or any other store) to verify the token is correct, our approach also
prevents tampering with $issued_at.
$last_issue lets us keep track of open sessions (and close them when the
user stops interacting with the site) without needing to continuously
hit the database. $issued_at is set to the UNIX timestamp on the web
server at the moment the cookie is issued. If we get the cookie back
from the user between $issued_at+SESSION_COOKIE_REISSUE (currently ten
minutes) we know the cookie is valid. If we receive the cookie at $time
$issued_at+SESSION_COOKIE_REISSUE < $time < $issued_at + SESSION_TIMEOUTwe reissue the cookie. If it comes back after SESSION_TIMEOUT, we kick the user off. This way, we take a big load off the database, which we only have to hit every SESSION_COOKIE_REISSUE or so.
(3) Permanent login cookie