[ic] UNSECURE Username and Password cookies being set at UI login

Grant interchange-users@icdevgroup.org
Tue Sep 10 19:34:01 2002


   When I hit the UI login page with cookies set to "prompt" in the browser,
two cookies are set: MV_USERNAME and MV_PASSWORD.  Why are these cookies set
if there is no autologin feature for the UI?  I am never logged in
automatically, but for some reason I almost always get "Failure: Invalid
user name or password." on that login page when I hit it.
   The values that are being set for the cookies in the UI are being set
under the same cookie names that are used for the AutoLogin feature of my
store's front-end.  Consequently (I think), the error log is overrun with
"Denied attempted login with nonexistent user name 'catalogname'" entries
which must be written every time I view one of my store's front-end pages
with the UI login values set for cookies: MV_USERNAME and MV_PASSWORD.  You
can go into your Temporary Internet Files folder on a Windows machine and
see your username and password right there in a cookie in plain text.

   I was hoping to stop these cookies from being set at UI login for three
reasons:

1. I don't see what purpose it serves, as there is no autologin feature in
the UI.
2. I think those cookies are causing all of the entries in my error log.
3. The cookies being set at the UI login aren't secure and do include the
password for the UI so it makes me think
they could be intercepted and viewed.

   Would that be a source hack to fix this or is there a simpler solution?

- Grant