[3805] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (David W. Morris)
Sat Dec 14 21:00:16 1996
Date: Sat, 14 Dec 1996 15:57:46 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: "David B. Donahue" <ddonahue@emf.net>
cc: David Ray <daver@idiom.com>, www-security@ns2.rutgers.edu
In-Reply-To: <32B1B100.14E0@emf.net>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 13 Dec 1996, David B. Donahue wrote:
> In this way, even though the underlying password wasn't read-able in the
> cookie,
> because all cookie passwords (in this config) are decrypted the same
> way, the
> encypted password simply becomes the password.
You are correct, but the encrypted cookie approach has one major
improvement over clear text passwords via WWW basic authenticate or
form fields ... humans have an tendancy to use the same password for
every service for which they choose passwords. Good encryption of
the password in cookie would prevent a hacker from using the password
to access other services available to the original end user.
A very important consideration.
Dave Morrix
