[ic] Login Cookie

Davor Ocelic docelic at mail.inet.hr
Tue Dec 7 04:47:51 EST 2004

> Hello,
> A customer complained about setting the username and password in a cookie
> for "auto-login."  A look at this page:
> http://www.icdevgroup.org/i/dev/docfly.html?mv_arg=icconfig05%2e13
> Shows this is what happens.  Is there a good reason security-wise to use an
> md5 hash table or some other form of unique identification for auto-login,
> rather than username/password in a cookie?
> Anyone else have concerns about this?

Saving MD5 in a cookie instead of a password makes no sense.

MD5 is not reversable - the computer can't devise the original password
out of it in any way. So that means you would just be sending a md5
hash to the server instead of a plain-text password - which makes no
difference - a person who gets his hands on your cookie file could log in
anyway; this would just add pointless overhead on the server (calculating
md5s etc).

Finally, all similar systems save your actual password in the cookie file
unless you disable it.

If your client was concerned about localhost security, then he should
avoid saving login cookies. If he was concerned about network security,
then you could make sure the login goes over SSL ([process secure=1]).


More information about the interchange-users mailing list