Re: [Slashcode-development] sessions/generatesession

[Chris N. <pu...@po...>]

At 10:01 -0900 01.25.2001, Nathan Vonnahme wrote:
>Whoah, I didn't realize usernames/passwords were stored in the cookies.
>Cookies are (in theory) interceptable since they're sent over the net in
>clear text (unless you're using ssl), so Bad Guys could steal your cookie
>and learn your password and log in as you and do Bad Things.

This is the case now, in Slash.  In bender, we use md5 hashing to store the
password in the cookie.  So the password itself is not there.  Yes, the md5
hash could be stolen, so someone could copy your cookie and log in as you.
And yes, this can all be worked around with SSL, which is why bender has
SSL support, so admins can choose to use https.

I am not opposed to other methods; the cool thing is that all of this is
done in Slash::Apache::User, and is invoked in your Apache config.  You can
write a separate authentication module and plug that in to your Apache
config instead.  I imagine we will work toward having several different
authentication modules.

-- 
Chris Nandor                      pu...@po...    http://pudge.net/
Open Source Development Network    pu...@os...     http://osdn.com/