Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
21459 posts

Uber Geek
+1 received by user: 4362

Trusted
Subscriber

  Reply # 292939 25-Jan-2010 18:45
Send private message

Cookies are just as easy to harvest as browser history, so if you are staying logged in, any malware could take the cookie and flick it back to the botnet master to get in here on your currently saved details or current session.




Richard rich.ms

BDFL - Memuneh
61313 posts

Uber Geek
+1 received by user: 12053

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 292940 25-Jan-2010 18:48
Send private message

I have changed the scripts so the password won't show as part of a URL anymore - unless you guys have it saved in the bookmark.

As for the cookies - yes, this was discussed at length in the other thread, and unless we work on something like a session token that changes on every page view, then your information will always be "available". I am still not convinced that a single token solves the impersonation problem, unless the entire session is always encrypted and there isn't an option for automatic login.






BDFL - Memuneh
61313 posts

Uber Geek
+1 received by user: 12053

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 301745 24-Feb-2010 09:25
Send private message

Ragnor: @freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).



We released a change yesterday that will now use session variables for automatic login. Also the login page is using POST instead of GET as I mentioned in my previous post. As a result, you won't see credentials in any URL anymore, even automatic login.

However if you have a bookmark to the login.asp URL with credentials as parameters it will still login but as said it will show in logs, etc.




8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 301816 24-Feb-2010 14:37
Send private message

Good changes, thumbs up!

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.