Menu
▾
▴
[Phpwiki-talk] Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1
|
From: Reini U. <ru...@x-...> - 2003-12-13 01:00:17
|
Joby Walker schrieb: > This looks good, but as I read this you are storing the > username&password (in human readable form) in the contents of a cookie > on the end-user's machine. This seems quite bad to me. SOP, for web > sites is to store a cookie with a unique id (UID). The cookie id plus > some unique features of the client (IP, browser, time, etc) are then > checked by the server against it's session database and if verified the > user is logged in (very similar to Kerberos). But by storing the > username & password in the cookie, it someone reads the cookie they will > have complete access to that account. > > A quick review of the cookies currently in my broswer shows: > > 1) UID's are primarily used -- especially with commercial sites. > 2) Passwords are not stored in cookies. > 3) Userid's, if used instead of a UID, are encrypted. > 4) Very little data is in human readable form -- and none of it is > critical info. > > If I am mistaken about what you are storing in the cookie ... then > ignore. But I am quite worried about this development. Well, I'm not so concerned about security with this password issue, since it's only a wiki. nothing serious. If I store sensitive data in cookies I do a symeteric encryption with a secret key at the host, generated at install time. but it's true that certain pref data shouldn't be stored in cookies: passwd (for security), email (. just the basic prefs for username and layout. otherwise the user has to create a homepage. okay? but then we'll have to fix the login procedure also. > On a better note the classes look good. Having different classes with > common methods will be very helpful for the future of phpwiki. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
