Archive of UserLand's first discussion group, started October 5, 1998.

Re: DG Cookie contains plaintext password

Author:Bruce Hoult
Posted:4/17/1999; 4:18:23 PM
Topic:DG Cookie contains plaintext password
Msg #:5099 (In response to 4998)
Prev/Next:5098 / 5100

As the subject says, I was looking at some cookies today and the Userland 'firstDiscussionGroup' cookie contains my email address and password in plaintext.

I don't see that you can do anything about this. Whatever is in the cookie is whatever userland will accept as the password. You could change things so that the password is encrypted, but then you'd have to store the encypted password in the cookie and anyone who could read the cookie file or intercept the transmission of the cookie would see the encrypted password. They could then copy the encrypted password and use it themselves -- without having to know the plaintext password -- by putting it directly into their own cookie file.

Making the cookie encrypted *would* stop someone else from reading your cookie (either on disk, or in transmission) and then using the "Log On" command in the DG, but it wouldn't do a darn thing against anyone who knew how to edit their cookie file directly.

There are responses to this message:

This page was archived on 6/13/2001; 4:49:24 PM.

© Copyright 1998-2001 UserLand Software, Inc.