|
|
Posted by Toby Inkster on 11/17/67 11:28
David Dorward wrote:
> I'm about to head off to bed so if I'm missing something obvious you can put
> it down to needing the zzzs, but what's stopping the attacker sniffing the
> cookies and then requesting the page using those cookies?
They can. But they can't find out the password.
In real life you'd be a bit smarter and add a time limit too, after which
the user would need to revalidate. The way to do that would be to set an
short expire time on the cookie, and then include the expire time into the
md5 crypt. Reset the cookie with a new expire time and new crypt on each
request.
But I left that out because it needlessly complicated the example, which
was just intended to show that a user can remain logged in without either
using HTTPS or revealing their login credentials.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Navigation:
[Reply to this message]
|