Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 password digest in cookie		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

gkh
Starting Member

USA
3 Posts
Posted - 07 March 2003 :  10:36:54  Show Profile
Hi Folks

I was browsing the Snitz Forums code with an eye to extending it for use on my own web site -- I was planning to piggyback on the forum's user name and password management, to mediate access to other parts of my web site as well as to the forums.

However. I am an ASP novice, but but it appears to me that the user name and the password's sha256 message digest are placed into a cookie and checked on every access. Isn't that a bit insecure? If one of these cookies were to be intercepted wouldn't it allow an imposter to fake being logged in?

Why not place a flag in the Session to indicate successful login and keep the password out of the cookie? I guess there is the convenience aspect of being able to have a login session persist across browser invocations, but does that justify the risk?

I am not trying to second-guess you guys and I'd like to discover that I've misunderstood the code and that this security problem doesn't really exist. I await enlightenment.

Best regards

Guy Hillyer
snitz@foxhillyer.org

dayve
Forum Moderator

USA
5820 Posts
Posted - 07 March 2003 :  17:32:13  Show Profile  Visit dayve's Homepage
the password is NOT plain text in the cookie, it is encrypted.
Go to Top of Page

gkh
Starting Member

USA
3 Posts
Posted - 07 March 2003 :  17:53:19  Show Profile
Yes, what is placed in the cookie is the sha256 digest of the password. However, unless I'm mistaken, this encrypted form of the password, along with the user name, would be sufficient to synthesize a cookie that would make it appear a bogus request came from a logged-in user.

It would be OK to put the encrypted password in the cookie, if the actual plaintext password were needed to initiate a logged-in session. But the login is represented solely by the presence of the encrypted password in a cookie. So I think you could convince the web site that a logged-in session existed simply by presenting the password in a cookie.

But, as I said, I'd be happy to find that I'm wrong about this.
Go to Top of Page

gkh
Starting Member

USA
3 Posts
Posted - 07 March 2003 :  17:55:02  Show Profile
Oh, if there is a mod that addresses my concern, could someone point me to it. Thanks
Go to Top of Page

PeeWee.Inc
Senior Member

United Kingdom
1893 Posts
Posted - 07 March 2003 :  18:36:53  Show Profile  Visit PeeWee.Inc's Homepage
quote:
Originally posted by gkh

Oh, if there is a mod that addresses my concern, could someone point me to it. Thanks


http://www.snitzbitz.com
De Priofundus Calmo Ad Te Damine
Go to Top of Page

Asha
Starting Member

39 Posts
Posted - 06 May 2003 :  22:18:58  Show Profile
Will the mod or one like it be incorporated into a future version of Snitz?
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.21 seconds. Powered By: Snitz Forums 2000 Version 3.4.07