Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGeekzoneGeekzone passwords in plain text
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
richms
29098 posts

Uber Geek
+1 received by user: 10208

Trusted
Lifetime subscriber

  #292939 25-Jan-2010 18:45
Send private message

Cookies are just as easy to harvest as browser history, so if you are staying logged in, any malware could take the cookie and flick it back to the botnet master to get in here on your currently saved details or current session.




Richard rich.ms



freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #292940 25-Jan-2010 18:48
Send private message

I have changed the scripts so the password won't show as part of a URL anymore - unless you guys have it saved in the bookmark.

As for the cookies - yes, this was discussed at length in the other thread, and unless we work on something like a session token that changes on every page view, then your information will always be "available". I am still not convinced that a single token solves the impersonation problem, unless the entire session is always encrypted and there isn't an option for automatic login.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #301745 24-Feb-2010 09:25
Send private message

Ragnor: @freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).



We released a change yesterday that will now use session variables for automatic login. Also the login page is using POST instead of GET as I mentioned in my previous post. As a result, you won't see credentials in any URL anymore, even automatic login.

However if you have a bookmark to the login.asp URL with credentials as parameters it will still login but as said it will show in logs, etc.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #301816 24-Feb-2010 14:37
Send private message

Good changes, thumbs up!

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright