 |  |  |  |  |  |  |  |
keeping password just in cookies, not in servers.
Thread Solved |
Hi,
Suppose a site doesn't store passwords on its server.
When the user creates a new account, his password is hashed together with his username and stored in a cookie insider his Web browser. When he comes to the site again and types in his username and password, the server hashes them pulls the cookie from the user’s browser and checks if the computed hash is equal to the hash
stored in the cookie. If they match, access is granted.
Can another person log into his account just be knowing the username i.e the victim's computer is offline and inaccessible( cannot be eavesdropped)
Suppose a site doesn't store passwords on its server.
When the user creates a new account, his password is hashed together with his username and stored in a cookie insider his Web browser. When he comes to the site again and types in his username and password, the server hashes them pulls the cookie from the user’s browser and checks if the computed hash is equal to the hash
stored in the cookie. If they match, access is granted.
Can another person log into his account just be knowing the username i.e the victim's computer is offline and inaccessible( cannot be eavesdropped)
0
#2 Oct 23rd, 2009
Probably not except by brute force. This is a bad idea though since when the user loses their cookies they will no longer be able to log in. It is just a matter of time before they lose their browser settings.
 |
Similar Threads
- Change Password In A Shell Script (Shell Scripting)
- how to insert password in cookies?? (Java)
- Hotmail Login (Windows NT / 2000 / XP)
Other Threads in the Network Security Forum
- Previous Thread: code to get WAN/external IP in java
- Next Thread: Cannot access internet WITHOUT proxy/ulrasurf
| Thread Tools | Search this Thread |
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Network Security
adobe advice antivirus apple banking blackmail botnet browser business cellphone china confidentiality crime cybercrime cyberwarfare daniweb data database dataloss dataprotection development email emailretention encryption exploit facebook fail firefox forensic fraud google government gps hack hacker hacking hardware ibm idtheft information infosec internet iphone kaspersky kernel koobface law linux malware mcafee mckinnon microsoft military mobile music nasa nationalsecurity network networks news obama olympics password passwords pentagon phishing php politics privacy realplayer report research satnav scam school search security socialnetworking software softwaredevelopment spam survey symantec symbian terrorism terrorist theft trends trojan trojans twitter uk usb virus vulnerability web wireless worm yahoo youtube
