Many sites creating an authenticator which is the concatentation of username+expiration time, key. The problem with this type of system is that an adversary can abuse it by creating usernames which will have the same authenticator as another existing user.
For example, a user with username Alice and expiration date 21-Apr-2001 results in the authenticator signed(Alice21-Apr-2001,key). However, a user Alice2 with expiration date 1-Apr-2001 will have the same authenticator signed(Alice21-Apr-2001,key).
[Home]
[Publications]
[Cookie encyclopedia]
[Mailing list]
[FAQ]
[Contact us]