Archive of UserLand's first discussion group, started October 5, 1998.

Re: DG Cookie contains plaintext password

Author:Eric Soroos
Posted:4/16/1999; 12:39:00 PM
Topic:DG Cookie contains plaintext password
Msg #:5073 (In response to 5030)
Prev/Next:5072 / 5074

It's more difficult than this, as I've stated in some previous discussion group messages. See: http://discuss.userland.com/msgReader$2851

What you've just done is taken the current password, then hashed it and put it in a cookie. You're right back to where you started. Unless you can hash on the client, MD5 will not help you.

To use md5 effectively, you need to be able to replicate the pop3 apop command. The server sends a globally/universally string, typically time@machine ip/name>. The client then hashes this + the password, and the server compares the hash to it's own hash of the string+password. This is basically impossible to do when you have a human at the web browser. (although it's possible to use for xml-rpc)

Fundamentally, ssl is the better choice, since you get 3 things.

1) authentication

2) protection from snooping

3) protection from spoofing

i.e., you know the other person, you know that no one in the middle can read it, and no one in the middle can change it (in a cryptographically strong sense).

eric


There are responses to this message:


This page was archived on 6/13/2001; 4:49:23 PM.

© Copyright 1998-2001 UserLand Software, Inc.