On Jan 24, 10:10 am, Andrew Badera <and...@badera.us> wrote: > Typically, or at least in my experience, salting is > md5/sha1/whatever(password+salt) rather than md5(md5(password)+salt) ...
If you just hash the password plus the salt, you need to store the password on the server. This is bad, both because servers are vulnerable and also because at some stage you have to transmit the password in clear. So you transmit (and store) the hash of the password, which means you need to hash it twice when you login. > But can't the attackers simply spoof a request with that session id in > the cookies? Yes, but only while the session is valid. At the very least make your sessions expire frequently, and make logging out enticing for users. And you could also make their IP address part of the salt, and have the server check it. This limits attacks to your internal network. Cheers! Greg. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---