FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Best practice, (secure), to save session data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Best practice, (secure), to save session data? [message #178412 is a reply to message #178409] Fri, 15 June 2012 20:25 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 6/15/2012 11:20 AM, Chris Davies wrote:
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> wrote:
>> I read it. The thing you miss is the hacker doesn't need to decode the
>> encrypted data in the cookie. All he needs to do is send it - just like
>> the original client would.
>
> You're (still?) missing my differentiator between this and a session
> cookie.
>
>
>> He won't have the password - but he doesn't need it.
>
> It wasn't about having a password (implicit with the cookie or otherwise),
> it was having access to the data stored directly in the cookie itself.
>
> Chris

It would help if you were to quote the relevant comments. You said:

"2. If you encrypt the data into the cookie using a secret known only to
the website then at least someone has to go to the bother of trying to
brute force the data string, but they have as much time as they like to
do so. Password security."

As I stated - this is not correct. No one needs to "brute force the
data string" to get logged in - all they have to do is send the cookie.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Stats comp.lang.php (last 7 days)
Next Topic: Is spl_object_hash unique in the SQL sense? Can it be used as a unique SQL db column?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 01:36:28 GMT 2024

Total time taken to generate the page: 0.13151 seconds