RE: Cookies and Security

Joel is right. A "known plaintext" attack is very effective... and sending a sample of you encryption to anyone is risky. Also, just for information sake, you can recover passwords from digest form... sort of. Ever heard of "Crack" or "John the Ripper"? If you enforce strong passwords then it

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > OK, I know this is getting a little off-topic, but I think security is a big > issue, especially with newbies like myself, and deserves some good > discussion. Also, there's probably not a perl-cgi-beginners-security list, > nor should there be. > > I l

Re: Cookies and Security

]> To: CGI Beginners <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 12:42 PM Subject: RE: Cookies and Security > --- Joel Hughes <[EMAIL PROTECTED]> wrote: > > Curtis, > > are you sure that sending the digest back to the client in cookie form is a > > good id

RE: Cookies and Security

--- Joel Hughes <[EMAIL PROTECTED]> wrote: > Curtis, > are you sure that sending the digest back to the client in cookie form is a > good idea? > > I mean, if I were a hacker, could I not register and then retrieve the > digest - you then have the plain text and the cipher text. (admittedly you >

RE: Cookies and Security

function. joel -Original Message- From: Curtis Poe [mailto:[EMAIL PROTECTED]] Sent: 08 August 2001 17:38 To: CGI Beginners Subject: Re: Cookies and Security --- Ryan Davis <[EMAIL PROTECTED]> wrote: > First of all, thanks for the quick response. This application isn't in use &g

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > First of all, thanks for the quick response. This application isn't in use > yet, so now is the time to make security changes > > A few questions/let me see if I'm following you: > > A user enters their password, I create the digest, and store the dig

Re: Cookies and Security

Ryan Davis wrote: > > First of all, thanks for the quick response. This application isn't in use > yet, so now is the time to make security changes > > A few questions/let me see if I'm following you: > > A user enters their password, I create the digest, and store the digest as a > cookie.

Re: Cookies and Security

the message _out_ of digest form. Thanks, Ryan - Original Message - From: Curtis Poe <[EMAIL PROTECTED]> To: CGI Beginners <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 11:00 AM Subject: Re: Cookies and Security > --- Ryan Davis <[EMAIL PROTECTED]> wrot

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > Hey all, > > I have a password protected area, and after the user puts in their password, I store >it in a > cookie, and the CGI reads that cookie every time to determine if the user is logged >in or not. > I figured this was safer than passing a 'lo

Re: Cookies and Security

users of the script. I look with interest to the more learned answers to your query. - Roger - - Original Message - From: "Ryan Davis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 10:00 AM Subject: Cookies and Security Hey all, I hav

Cookies and Security

Hey all, I have a password protected area, and after the user puts in their password, I store it in a cookie, and the CGI reads that cookie every time to determine if the user is logged in or not. I figured this was safer than passing a 'loggedin' param as a hidden field, but I'm not sure if