Results 1 to 6 of 6

Thread: [RESOLVED] Form Cookies Security

Thread Tools
- Show Printable Version
Display
- Switch to Linear Mode
- Switch to Hybrid Mode
- Threaded Mode

Threaded View

Previous Post

Next Post

Jul 21st, 2008, 09:15 PM #6
penagate

View Profile

View Forum Posts
I'm about to be a PowerPoster!

Join Date

Jan 2005

Location

Everywhere

Posts

13,647
Re: Form Cookies Security

Originally Posted by LoopUntil

If a user "sniff"/grabs the cookies of another user then it can replace/add these cookies with a tool and then refresh the page.
After that, it will be automatically authenticate.

This is true of any automatic login method. But regardless, passwords should never be sent in clear text. SSL should be used for a security-critical login method so that the data cannot be sniffed by a malicious third party. For automatic logins, usually some kind of login token is used rather than a hash of the user's password; this then creates a pre-authenticated session.

There are superior hash algorithms available than SHA1 or MD5, too, like Whirlpool or RIPEMD.

But you knew all that, right?
Reply With Quote

Quick Navigation PHP Top

« Previous Thread | Next Thread »

Posting Permissions

You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off

Click Here to Expand Forum to Full Width

Terms and Conditions | About Us | Privacy Notice | Contact Us | Advertise | Sitemap| California - Do Not Sell My Info

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

All times are GMT -5. The time now is 09:15 PM.