| Re: Best practice, (secure), to save session data? [message #178412 is a reply to message #178409] |
Fri, 15 June 2012 20:25   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/15/2012 11:20 AM, Chris Davies wrote:
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> wrote:
>> I read it. The thing you miss is the hacker doesn't need to decode the
>> encrypted data in the cookie. All he needs to do is send it - just like
>> the original client would.
>
> You're (still?) missing my differentiator between this and a session
> cookie.
>
>
>> He won't have the password - but he doesn't need it.
>
> It wasn't about having a password (implicit with the cookie or otherwise),
> it was having access to the data stored directly in the cookie itself.
>
> Chris
It would help if you were to quote the relevant comments. You said:
"2. If you encrypt the data into the cookie using a secret known only to
the website then at least someone has to go to the bother of trying to
brute force the data string, but they have as much time as they like to
do so. Password security."
As I stated - this is not correct. No one needs to "brute force the
data string" to get logged in - all they have to do is send the cookie.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]