| Author |
 Topic  |
|
|
batman12
Starting Member
1 Posts |
 Posted - 28 May 2001 : 12:01:57
|
Hello there,
I am considering using this forum on a site but have just a few questions. So if any guru-types would take a few moments i'd be v.grateful.
Are there any security issues around using cookie based logging on.
And what about cross browser compatability.
|
|
|
e3stone
Average Member
USA
885 Posts |
Posted - 28 May 2001 : 12:54:26
|
don't know about the cookies issue. I've been wondering that myself, for example if someone logs in at a school computer, then leaves, then someone else starts up the browser and comes to my site, is that first person still logged in? not sure.
As for the cross browser issue, the only thing that I've had to do is change the color codes. i.e. "black" to "#000000" because Opera was freaking out with the text-based color codes.
<-- Eric -->
http://insidewaco.com/forum/home.asp |
 |
|
|
babygate
Starting Member
32 Posts |
Posted - 28 May 2001 : 18:05:17
|
quote:
don't know about the cookies issue. I've been wondering that myself, for example if someone logs in at a school computer, then leaves, then someone else starts up the browser and comes to my site, is that first person still logged in? not sure.
The answer to that is YES, if Save Password is checked, and that person closed the browser without clicking on LOGOUT first.
Edited by - babygate on 28 May 2001 18:45:15 |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 29 May 2001 : 00:27:19
|
babygate is correct,
If that is a problem, an option would be to either change inc_top.asp and have that checkbox default to unchecked or simply remove that checkbox there. With the checkbox unchecked or absent, all cookies will expire once the browser is closed.
For the color codes e3stone mentioned see the color section here: http://forum.snitz.com/faq.asp
and a colorset to quickly fix that here: http://forum.snitz.com/faq_additional.asp
Pierre
Join the Snitz WebRing |
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 29 May 2001 : 03:40:51
|
one more thing,
snitz saves your password to the cookie as is,without encrypting.
__________________
aQuarium > right-click intellectual device
"I am a legal alien" |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 29 May 2001 : 04:27:31
|
yes, that is true
But if we would encrypt it, that would only make it a bit harder to read, not impossible to read, because the decrypt code would be publicly available. (right ?)
Pierre
Join the Snitz WebRing |
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 29 May 2001 : 10:30:42
|
quote:
yes, that is true
But if we would encrypt it, that would only make it a bit harder to read, not impossible to read, because the decrypt code would be publicly available. (right ?)
Pierre
Join the Snitz WebRing
there was a discussion about it, you know thta gor. An admin can give a certain code,for example, in the admin screen, then different forums can have different encryption results at the end.
__________________
aQuarium > right-click intellectual device
"I am a legal alien" |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 29 May 2001 : 10:46:23
|
This discussion you mean: http://forum.snitz.com/forum/link.asp?TOPIC_ID=9738 ?
There still is no working code that does that (and could be added by batman12).
Also, the option redbrad0 suggested has (I think) a major flaw:
If I register at the forum I want to hack first, it stores an encrypted cookie on my drive.
If I was able to get hold of the database (or another users cookie), I still would have all the things I needed to recalculate any keyvalue the admin has entered.
Granted, you make it harder than it is now (but it wouldn't keep me out ), and I never said I'm against it.
If Tiltek finishes his MD5 encryption (or anybody else codes any other encryption that is "good"), it is easy to add it to the code since writing the cookies is done on a central place allready and we coude easely do that for reading also.
And since it is not something that makes the code more complex (actually easier when all read cookies are done by 1 function), I think it is a good idea and something that surely would be added to the source.
Pierre
Join the Snitz WebRing |
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 29 May 2001 : 12:07:42
|
quote:
Granted, you make it harder than it is now (but it wouldn't keep me out ), and I never said I'm against it.
If Tiltek finishes his MD5 encryption (or anybody else codes any other encryption that is "good"), it is easy to add it to the code since writing the cookies is done on a central place allready and we coude easely do that for reading also.
And since it is not something that makes the code more complex (actually easier when all read cookies are done by 1 function), I think it is a good idea and something that surely would be added to the source.
In fact my encryption file is finish, work very well... But I don't have much time to implement it to Snitz... It will be done after my deadline (june 10) at my job. I'll will encrypt the PW int the DB, and in the cookies.
And this, without any component.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com
Edited by - tilttek on 29 May 2001 12:11:57 |
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 30 May 2001 : 10:44:38
|
Be sure many people wait for it.
Thank you for your precise work 
__________________
aQuarium > right-click intellectual device
"I am a legal alien" |
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 30 May 2001 : 12:01:36
|
quote:
Be sure many people wait for it.
Thank you for your precise work
I will use MD5 for the PW encryption in the DB. Using a way that will make value different for each user and forum.
I will use BlowFish encryption for Cookies encryption.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
work mule
Senior Member
USA
1358 Posts |
Posted - 30 May 2001 : 13:13:53
|
quote:
quote:
don't know about the cookies issue. I've been wondering that myself, for example if someone logs in at a school computer, then leaves, then someone else starts up the browser and comes to my site, is that first person still logged in? not sure.
The answer to that is YES, if Save Password is checked, and that person closed the browser without clicking on LOGOUT first.
Edited by - babygate on 28 May 2001 18:45:15
Yes this is true. Please keep in mind that this is the same method used by many, many sites on the Internet. At some point it is up to the user to be conscience of completely logging out of sites when using remote computers at schools, conferences, malls, etc. There is only so much a website can do. If the user writes down the username and password on a piece of paper and pins it up on a bulletin board, regardless of how tight the site's security is - there is very little the code can do.
--The Writer Community
"Do not go where the path may lead, go instead where there is no path and leave a trail."
-Ralph Waldo Emerson |
|
|
| |
Topic |
|
Topic Locked
