Hmm. So basically this would sum it up:? 1. If I use SSL, I can rely on the cookies?
2. If I don't use SSL and use another provider for the password check (like OpenID, etc.), I need to take your advice on Sessions expiring? Am I correct? And, what are the real chances of a hacker intercepting traffic? On Jan 24, 6:41 pm, Greg <g.fawc...@gmail.com> wrote: > On Jan 24, 10:10 am, Andrew Badera <and...@badera.us> wrote: > > > Typically, or at least in my experience, salting is > > md5/sha1/whatever(password+salt) rather than md5(md5(password)+salt) ... > > If you just hash the password plus the salt, you need to store the > password on the server. This is bad, both because servers are > vulnerable and also because at some stage you have to transmit the > password in clear. So you transmit (and store) the hash of the > password, which means you need to hash it twice when you login. > > > But can't the attackers simply spoof a request with that session id in > > the cookies? > > Yes, but only while the session is valid. At the very least make your > sessions expire frequently, and make logging out enticing for users. > And you could also make their IP address part of the salt, and have > the server check it. This limits attacks to your internal network. > > Cheers! > Greg. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---