Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
20430 posts

Uber Geek
+1 received by user: 3901

Trusted
Subscriber

  Reply # 292939 25-Jan-2010 18:45
Send private message

Cookies are just as easy to harvest as browser history, so if you are staying logged in, any malware could take the cookie and flick it back to the botnet master to get in here on your currently saved details or current session.




Richard rich.ms

BDFL - Memuneh
59180 posts

Uber Geek
+1 received by user: 10413

Administrator
Trusted
Geekzone
Subscriber

  Reply # 292940 25-Jan-2010 18:48
Send private message

I have changed the scripts so the password won't show as part of a URL anymore - unless you guys have it saved in the bookmark.

As for the cookies - yes, this was discussed at length in the other thread, and unless we work on something like a session token that changes on every page view, then your information will always be "available". I am still not convinced that a single token solves the impersonation problem, unless the entire session is always encrypted and there isn't an option for automatic login.






 
 
 
 


BDFL - Memuneh
59180 posts

Uber Geek
+1 received by user: 10413

Administrator
Trusted
Geekzone
Subscriber

  Reply # 301745 24-Feb-2010 09:25
Send private message

Ragnor: @freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).



We released a change yesterday that will now use session variables for automatic login. Also the login page is using POST instead of GET as I mentioned in my previous post. As a result, you won't see credentials in any URL anymore, even automatic login.

However if you have a bookmark to the login.asp URL with credentials as parameters it will still login but as said it will show in logs, etc.




8020 posts

Uber Geek
+1 received by user: 386

Trusted
Subscriber

  Reply # 301816 24-Feb-2010 14:37
Send private message

Good changes, thumbs up!

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.