Persistent Cookie Authentication Gem by: Wong Liang Zan liangzan.net
What are Persistent Cookies?
 
 
It’s your browser cookies
 
It is used to identify you
Examples of use <ul><li>Set default languages </li></ul><ul><li>Set default theme </li></ul><ul><li>Set default layout </l...
Who are using it?
Why do I need it?
Skip the registration step
 
Less steps
Jakob Nielsen says “Less steps = Better usability”
It increases the conversion rate
Conversion Rate  Carts / Orders = %
Top 10 retailers by conversion rate (Aug ’08)‏ 15.2% eBay 10 17.3% Office Depot 9 17.7% The Sportsman Guide 8 18.8% Roaman...
Average e-commerce store’s conversion rate?   0.5 – 2 %
Persistent Cookies removes the registration step  Gets the user to the checkout page faster Increases the conversion rate
So, what does the gem has?
Features <ul><li>A model which uses SHA1 encryption and salted hashes for passwords </li></ul><ul><li>A controller with si...
How do I install it?
gem install persistent_cookie_authentication_generator Documentation http://liangzan.net/?p=34
Implementation Overview Credit to: Barry Jaspan & Charles Miller
When a user logs in, a cookie is issued
The cookie has
When the user visits the site… 3 courses of action
1) If the triplet is present… <ul><li>User is authenticated </li></ul><ul><li>Used token is removed from the DB </li></ul>...
Diagram of new cookie
2) Username & series are present, token doesn’t match A theft has occurred.
3) Username & series not present Ignore
How do you know someone has stolen my cookie?
When a hacker logs in with your cookie... His token is replaced. But yours is still the  old one
How do we know it's you? Ans: Your series is still the same
When there exist a cookie with the same username, series, but not the same token... It means that someone used your cookie...
Advantages <ul><li>An attacker is only able to use a stolen cookie until the victim next accesses the web site instead of ...
Q & A
Upcoming SlideShare
Loading in...5
×

Persistent Authentication Cookie Generator Gem

1,604

Published on

This set of slides explains why you need the persistent authentication cookie generator and the implementation overview

1 Comment
1 Like
Statistics
Notes
  • http://w01.ourworld.com/ow/tracking?source=ref_link&user_id=30117606
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,604
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Persistent Authentication Cookie Generator Gem

  1. 1. Persistent Cookie Authentication Gem by: Wong Liang Zan liangzan.net
  2. 2. What are Persistent Cookies?
  3. 5. It’s your browser cookies
  4. 7. It is used to identify you
  5. 8. Examples of use <ul><li>Set default languages </li></ul><ul><li>Set default theme </li></ul><ul><li>Set default layout </li></ul><ul><li>And more… </li></ul>
  6. 9. Who are using it?
  7. 10. Why do I need it?
  8. 11. Skip the registration step
  9. 13. Less steps
  10. 14. Jakob Nielsen says “Less steps = Better usability”
  11. 15. It increases the conversion rate
  12. 16. Conversion Rate Carts / Orders = %
  13. 17. Top 10 retailers by conversion rate (Aug ’08)‏ 15.2% eBay 10 17.3% Office Depot 9 17.7% The Sportsman Guide 8 18.8% Roamans 7 19.7% LL Bean 6 19.7% LaneBryant Catalog 5 20.1% QVC 4 20.1% Blair.com 3 20.8% 1800flowers.com 2 41.5% ProFlowers 1
  14. 18. Average e-commerce store’s conversion rate? 0.5 – 2 %
  15. 19. Persistent Cookies removes the registration step Gets the user to the checkout page faster Increases the conversion rate
  16. 20. So, what does the gem has?
  17. 21. Features <ul><li>A model which uses SHA1 encryption and salted hashes for passwords </li></ul><ul><li>A controller with signup, login, welcome and logoff actions </li></ul><ul><li>Gmail SMTP server integration </li></ul><ul><li>Account creation that requires account verification via email </li></ul><ul><li>Supports forgotten and changed passwords </li></ul><ul><li>A mixin which lets you easily add advanced authentication features to your abstract base controller </li></ul><ul><li>Extensive unit and functional test cases to make sure nothing breaks. </li></ul><ul><li>Token based authentication </li></ul><ul><li>Persistent cookie management that allows anonymous users to be authenticated via cookies </li></ul>
  18. 22. How do I install it?
  19. 23. gem install persistent_cookie_authentication_generator Documentation http://liangzan.net/?p=34
  20. 24. Implementation Overview Credit to: Barry Jaspan & Charles Miller
  21. 25. When a user logs in, a cookie is issued
  22. 26. The cookie has
  23. 27. When the user visits the site… 3 courses of action
  24. 28. 1) If the triplet is present… <ul><li>User is authenticated </li></ul><ul><li>Used token is removed from the DB </li></ul><ul><li>New cookie is issued with a new token </li></ul><ul><li>The new token is stored with the same series and username </li></ul>
  25. 29. Diagram of new cookie
  26. 30. 2) Username & series are present, token doesn’t match A theft has occurred.
  27. 31. 3) Username & series not present Ignore
  28. 32. How do you know someone has stolen my cookie?
  29. 33. When a hacker logs in with your cookie... His token is replaced. But yours is still the old one
  30. 34. How do we know it's you? Ans: Your series is still the same
  31. 35. When there exist a cookie with the same username, series, but not the same token... It means that someone used your cookie to log in before you.
  32. 36. Advantages <ul><li>An attacker is only able to use a stolen cookie until the victim next accesses the web site instead of for the full lifetime of the remembered session. </li></ul><ul><li>When the victim next accesses the web site, he will be informed that the theft occurred </li></ul>
  33. 37. Q & A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×