We are implementing a single signon solution that involves storing an encrypted cookie with the user's username as an access token.
1. We'd like to make sure the cookie can't be used in a replay attack & so plan to include the IP address in it, along with an expiration time and a "MAC" (message authentication check) code to make sure the cookie wasn't tampered with.
We've seen the article at: http://www.w3.org/Security/Faq/CLT-Q10
, which explains what's in a MAC (MAC = MD5("secret key " +
MD5("session ID" + "issue date" +
"expiration time" + "IP address" +
The question is, is that the industry standard for a MAC? Is there an industry standard for MAC's at all?
2. What encryption algorithm is recommended for the cookie? Triple-DES? MD5? On what basis should one decide on an encryption algorithm?