Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 use loginkey in cookie instead of encpassword?		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

bjlt
Senior Member

1144 Posts
Posted - 19 August 2002 :  13:58:30  Show Profile
well, before we have discussed session key, I was not quite clear on this untill I see the source code of an application we use.

in snitz now we have 

sub doCookies(fSavePassWord)
......
	Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
	Response.Cookies(strUniqueID & "User")("Pword") = strEncodedPassword
......
end sub



the encrypted password is used in the cookie, which means you need to change your password if someone fakes your cookie. the session key method we discussed before gives more security on this.

since session will not work on web farms, we can use cookie instead, every time one is logged on (using the real password) there's a new UNIQUE temp loginkey generated for use in cookie, this key is stored in the member table. this way if someone fakes your cookie, it won't work the next time you log on to the site with your password.

use a function to generate the unique key and store it in the member table after checking the password, then use it in the cookie.


Function CreateLoginKey
    a function to generate a key, just make sure it's unique in the member table,
End Function



	strLoginKey = CreateLoginKey

......
	strSQL = "UPDATE " & strMemberTablePrefix & "MEMBERS Set " & _
	            " M_LOGINKEY = " & chkString((strLoginKey),SQLstring) & "
......



	Response.Cookies(strUniqueID & "User")("Pword") = strLoginKey




then we also need to think when we need a password, when a cookie is just fine.

just to add a bit more security.
Edited by - bjlt on 19 August 2002 14:38:35

Roland
Advanced Member

Netherlands
9335 Posts
Posted - 19 August 2002 :  14:30:52  Show Profile
then what if I don't log out and someone gets the information from my cookie? It's won't help either. The only way to really prevent people from stealing your cookie and logging in as you, is by NOT letting a cookie be placed on your computer, and thereby entering your username and password each time you post a message.
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 19 August 2002 :  14:41:09  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by FrutZle

then what if I don't log out and someone gets the information from my cookie? It's won't help either. The only way to really prevent people from stealing your cookie and logging in as you, is by NOT letting a cookie be placed on your computer, and thereby entering your username and password each time you post a message.

Well you can also login and then logout when you're done.

On the other hand how many cases of login inpersonation have you known with Snitz cookies? Is it really worthwhile all this discussion?

Alas, you can always develop a mod to do this. That's the beauty of Snitz, you can just have your very own version of the forum code.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

bjlt
Senior Member

1144 Posts
Posted - 19 August 2002 :  14:42:49  Show Profile
yes it won't work if you don't log out at all. but it works if you use your real password any time. It just adds more security, and make your cookie has nothing to do with your password at all. some people just use one or two password for everything.
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 19 August 2002 :  14:45:39  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by bjlt

some people just use one or two password for everything.

That's a huge security risk, whoever does it should know that.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Roland
Advanced Member

Netherlands
9335 Posts
Posted - 19 August 2002 :  14:46:05  Show Profile
right, in that case it is useful. You should make one important change to inc_header.asp then too:
removed checked from the checkbox to save the password.

It makes sense, but if you want my honest opinion: people who use the same password for everything shouldn't be allowed to complain when they get into trouble.
Go to Top of Page

bjlt
Senior Member

1144 Posts
Posted - 19 August 2002 :  14:47:20  Show Profile
well, if you use it as a forum probably it dosen't matter at all. If someone's integrating it as the user database for his sites and wants to do some commercial things it will help.

it's just some idea from other developers on the security issue, I think it might help some way.

About people using one password for everything, isn't that a big portion of population?
Edited by - bjlt on 19 August 2002 14:50:51
Go to Top of Page

Roland
Advanced Member

Netherlands
9335 Posts
Posted - 19 August 2002 :  14:48:49  Show Profile
It won't hurt and might help some people. I'm not for it, nor against it.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.22 seconds. Powered By: Snitz Forums 2000 Version 3.4.07