|
Posted by Gordon Burditt on 02/17/07 00:52
>> i have a php site which allows users to save a cookie on their
>> computer which stores their user id details and allows them to auto-
>> login.
>>
>> i'm wondering whether this is safe, is it possible for a malicious
>> user to find that cookie and change its value and therefore auto-login
>> as someone else? and if so how can this be prevented?
>
>How could a "malicious user" gain access to a cookie stored somewhere in
>your your users computer, unless they break into your users house? My
Easy: your user LIVES WITH (or worse, sleeps with AND lives with)
the malicious user. Or his kids invite the malicious user (aka
neighbor kid) in. Not all users are nerds with no friends.
Sometimes warring siblings have to share a computer.
Laptops are easy to steal. Just listen to the news: how often is
a laptop with government classified information or sensitive financial
information on it reported missing? I suspect it's especially easy
to steal laptops at airports. My Palm also contains a web browser
and it's not that hard to lose it.
>browser regularly asks me if I wish it to "remember" my userid/password
>detailss for next time. Often I tell it to do so.
>Then again your user may be just silly enough to store your cookie on the
>public libraries computer. Their problem then IMHO.
Navigation:
[Reply to this message]
|