Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    14
    Rep Power
    0
    It's all secure unless you have an SSL into the server and use prepared query statements, salt passwords, encrypt and hash passwords, and the settype() function. Cookies are more practical because Sessions run out on browser close. just ecrypt and hash the password and salt it and throw it into a cookie. at least then you can say that it was as secure as possible.
  2. #17
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    Originally Posted by jblevins1991
    It's all secure unless you have an SSL into the server and use prepared query statements, salt passwords, encrypt and hash passwords, and the settype() function. Cookies are more practical because Sessions run out on browser close. just ecrypt and hash the password and salt it and throw it into a cookie. at least then you can say that it was as secure as possible.
    This is wrong. I said this was wrong hours ago. At least read the threads. Never store passwords in the cookie, ever.

    Prepared statements have nothing to do with this problem.

    Encrypting AND hashing something is unnecessary, it's one or the other.

    settype is irrelevant to this discussion.

    And none of this stops me from simply copying your login cookie to my computer and taking over your account.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    14
    Rep Power
    0
    Originally Posted by ManiacDan
    This is wrong. I said this was wrong hours ago. At least read the threads. Never store passwords in the cookie, ever.

    Prepared statements have nothing to do with this problem.

    Encrypting AND hashing something is unnecessary, it's one or the other.

    settype is irrelevant to this discussion.

    And none of this stops me from simply copying your login cookie to my computer and taking over your account.
    yes i was lazy and did not read the requests. you are right about not storing passwords in cookies. settype is ver relevant because PDO::PARAM types do not enforce variable data types, prepared queries block MySQL injection, and who says that encrypting and hashing is not more secure when you have a valid intrusion detection system. the longer it takes to perform operations on a database the better it is. hashing is one way, but to do key stretching you have to use encryption. therefore your argument is invalid.
  6. #19
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    settype is ver relevant because PDO::PARAM types do not enforce variable data types
    Yeah...and? How is PDO related to a "remember me" cookie, especially when all inputs and outputs of cookies will be strings and should be treated like strings?

    prepared queries block MySQL injection
    If this was a thread about generic data security that would be relevant also. We're not talking about generic app security though.


    the longer it takes to perform operations on a database the better it is. hashing is one way, but to do key stretching you have to use encryption. therefore your argument is invalid.
    Maybe you're in the wrong thread. We're talking about semi-permanent login cookies, not the security of a fully compromised database table. Sure, if you want to be the most secure theoretically possible for something unrelated to this topic you should encrypt the passwords with a variable keyed algorithm, then hash it with a unique salt per user, then maybe even reverse or shuffle the result just to add obfuscation. But since the contents of the cookie I suggested are not available even to the user they belong to, hash is more than enough.

    Comments on this post

    • portcitysoftwar agrees
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #20
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    14
    Rep Power
    0
    I said that it is all insecure unless you use all of the things i posted above. I was just adding relevant content to the thread since security became a topic. You attacking my statement and dragging this out is actually deviating from the thread. Especially since your original attack against me was that it was stated hours ago. I dont care. You attacked me about hashing and encrypting on passwords. This was incorrect. Settype is very relevant to any web app security thread. I also already accepted that putting the password in a cookies is a bad idea. At this point you are just making yourself look bad.

    I understand i was wrong about a few things but at this point you are being ignorant. Especially since you were wrong as well.

    Comments on this post

    • portcitysoftwar disagrees
  10. #21
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    I'm going to go ahead and close this thread now that it's devolved into personal attacks. OP, if you have further questions about these types of cookies, just open a new thread. Further commentary on the general state of internet security are probably better placed in the lounge.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo