Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
20905 posts

Uber Geek
+1 received by user: 4107

Trusted
Subscriber

  Reply # 292939 25-Jan-2010 18:45
Send private message

Cookies are just as easy to harvest as browser history, so if you are staying logged in, any malware could take the cookie and flick it back to the botnet master to get in here on your currently saved details or current session.




Richard rich.ms

BDFL - Memuneh
60034 posts

Uber Geek
+1 received by user: 11122

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 292940 25-Jan-2010 18:48
Send private message

I have changed the scripts so the password won't show as part of a URL anymore - unless you guys have it saved in the bookmark.

As for the cookies - yes, this was discussed at length in the other thread, and unless we work on something like a session token that changes on every page view, then your information will always be "available". I am still not convinced that a single token solves the impersonation problem, unless the entire session is always encrypted and there isn't an option for automatic login.






 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
BDFL - Memuneh
60034 posts

Uber Geek
+1 received by user: 11122

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 301745 24-Feb-2010 09:25
Send private message

Ragnor: @freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).



We released a change yesterday that will now use session variables for automatic login. Also the login page is using POST instead of GET as I mentioned in my previous post. As a result, you won't see credentials in any URL anymore, even automatic login.

However if you have a bookmark to the login.asp URL with credentials as parameters it will still login but as said it will show in logs, etc.




8020 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 301816 24-Feb-2010 14:37
Send private message

Good changes, thumbs up!

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.