Comments on: Website authorization – my solution

By: Lech

Lech — Thu, 12 Nov 2009 04:57:28 +0000

@Simon: yes, this is true – is someone steals cookie (and do not let it expire ) he can log in. This is why this solution made me unease – “The only advantage is that the password is not stored in cookie – but it is not needed, as just the digest is needed to pretend to be logged in.”

@mj41: yes, this isn’t a temporary token, as I did not implement what the design pattern said. Now I am wondering whther I should do this, or is the solution good enough.

By: mj41

mj41 — Wed, 11 Nov 2009 17:27:41 +0000

“Crypted password from database” isn’t a temporary token. E.g it can be used after user do logout.

By: Michael Peters

Michael Peters — Wed, 11 Nov 2009 14:41:13 +0000

The main reason is to not store the password as plain text in the database. Perl Monks did this and when they got hacked lots of accounts were exposed. People who used Perl Monks had to run around and make sure they weren’t using the same login credentials on any other site. And you store them hashed with a salt so that if you get hacked, no one can use a Rainbow Table to crack the hashes.

By: Simon Wilcox

Simon Wilcox — Wed, 11 Nov 2009 09:24:45 +0000

Terrible idea. As soon as someone steals the cookie they can impersonate the user and access the system. The only way to invalidate the cookie is to change the password.

Or am I misunderstanding how your scheme works ?

Simon.