RE: Cookies and Security

Joel is right. A "known plaintext" attack is very effective... and sending a sample of you encryption to anyone is risky. Also, just for information sake, you can recover passwords from digest form... sort of. Ever heard of "Crack" or "John the Ripper"? If you enforce strong passwords then it

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > OK, I know this is getting a little off-topic, but I think security is a big > issue, especially with newbies like myself, and deserves some good > discussion. Also, there's probably not a perl-cgi-beginners-security list, > nor should there be. > > I l

Re: Cookies and Security

]> To: CGI Beginners <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 12:42 PM Subject: RE: Cookies and Security > --- Joel Hughes <[EMAIL PROTECTED]> wrote: > > Curtis, > > are you sure that sending the digest back to the client in cookie form is a > > good id

RE: Cookies and Security

--- Joel Hughes <[EMAIL PROTECTED]> wrote: > Curtis, > are you sure that sending the digest back to the client in cookie form is a > good idea? > > I mean, if I were a hacker, could I not register and then retrieve the > digest - you then have the plain text and the cipher text. (admittedly you >

RE: Cookies and Security

function. joel -Original Message- From: Curtis Poe [mailto:[EMAIL PROTECTED]] Sent: 08 August 2001 17:38 To: CGI Beginners Subject: Re: Cookies and Security --- Ryan Davis <[EMAIL PROTECTED]> wrote: > First of all, thanks for the quick response. This application isn't in use &g

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > First of all, thanks for the quick response. This application isn't in use > yet, so now is the time to make security changes > > A few questions/let me see if I'm following you: > > A user enters their password, I create the digest, and store the dig

Re: Cookies and Security

Ryan Davis wrote: > > First of all, thanks for the quick response. This application isn't in use > yet, so now is the time to make security changes > > A few questions/let me see if I'm following you: > > A user enters their password, I create the digest, and store the digest as a > cookie.

Re: Cookies and Security

the message _out_ of digest form. Thanks, Ryan - Original Message - From: Curtis Poe <[EMAIL PROTECTED]> To: CGI Beginners <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 11:00 AM Subject: Re: Cookies and Security > --- Ryan Davis <[EMAIL PROTECTED]> wrot

Re: Cookies and Security

--- Ryan Davis <[EMAIL PROTECTED]> wrote: > Hey all, > > I have a password protected area, and after the user puts in their password, I store >it in a > cookie, and the CGI reads that cookie every time to determine if the user is logged >in or not. > I figured this was safer than passing a 'lo

Re: Cookies and Security

Your script will be multiply concurrent, will it not? That is, several users may be executing the same [instance of the] script. How are you going to tell them apart? I know CGI.pm retains values from a previous invocation, but have never understood how to differentiate between the separate users