| Re: Best practice, (secure), to save session data? [message #178450 is a reply to message #178446] |
Mon, 18 June 2012 19:13   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/18/2012 2:02 PM, Chris Davies wrote:
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> wrote:
>> As I stated - this is not correct. No one needs to "brute force the
>> data string" to get logged in - all they have to do is send the cookie.
>
> My original quote suggested option 2 as getting access to the data stored
> in the cookie. Real data stored in the cookie, not a session value that
> would/could get you access to the data stored on the website. That you
> might also be able to log in is a potential side-effect and was (from
> my perspective, at least) irrelevant.
>
> Chris
Yes, and my point was - you don't NEED access to the encrypted data.
All you need to do is send a copy of the cookie itself to log in.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]