My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 25: Cookie stolen vulnerability in Auth class
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by nat3...@gmail.com, Mar 17, 2009
In Auth class you store a pair of username and encrypted password in JSON
format. This is a great vulnerability in auth system. If someone sniff this
TCP packet then they can sent those cookie to impersonate the user, or even
the admin.

Read about solution to this at
http://jaspan.com/improved_persistent_login_cookie_best_practice.


Mar 18, 2009
#1 nat3...@gmail.com
Sorry, the first sentence should read:

In Auth class you store a pair of username and encrypted password as JSON format in
Cookie.
Nov 9, 2010
#2 osina...@gmail.com

I am going to try this small lightweight framework as im doing a small(ish) project at work.

Hopefully it should suffice. The only thing i disagree with in the project summary is i dont think you can really slate cake/solaris/other 'huge' and 'cumbersome' systems.

You will see. In ten years time, this will be 'huge and cumbersome' because you will ALWAYS find tedious scripts that you are rewriting in each website you build so - you wrap it in a function or object and it becomes version 1.1 of your framework until you reach version 10.0 and others view it as huge and cumbersome...

For example, who wants to write the html for a table with 10 rows and 6 columns when all that is different is the inner html?

Its why things like jquery, drupal, cake, etc were born.

PHPs problem is the lack of uniformity. .NET has one framework that is used by all .NET developers using Visual Studio/Express.

PHP has hundreds of frameworks, content management systems, edited by Komodo Edit, Dreamweaver, Notepad++, Eclipse PHP, (to name a few) - which is where i think the problem is.
Nov 9, 2010
#3 osina...@gmail.com
lol i like "moments ago" when you add a new comment :)
Nov 9, 2010
#4 nat3...@gmail.com
I wonder why your comment has to do with this issue?
Sign in to add a comment

Powered by Google Project Hosting