| Re: Best practice, (secure), to save session data? [message #178408 is a reply to message #178407] |
Fri, 15 June 2012 11:04   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/15/2012 3:46 AM, Chris Davies wrote:
>>> 2. If you encrypt the data into the cookie using a secret known only to
>>> the website then at least someone has to go to the bother of trying to
>>> brute force the data string, but they have as much time as they like to
>>> do so. Password security.
>>>
>
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> wrote:
>> Incorrect. They don't need to break the string. All they have to do is
>> send the cookie. The server doesn't care which client the cookie came from.
>
> No. Read what I said again, in the context of the OP's comment. He was
> talking about putting the real data into the cookie.
>
> Chris
I read it. The thing you miss is the hacker doesn't need to decode the
encrypted data in the cookie. All he needs to do is send it - just like
the original client would.
He won't have the password - but he doesn't need it.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]