[3807] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Sat Dec 14 22:07:08 1996
To: "David W. Morris" <dwm@xpasc.com>
cc: "David B. Donahue" <ddonahue@emf.net>, David Ray <daver@idiom.com>,
www-security@ns2.rutgers.edu
Date: Sat, 14 Dec 1996 20:27:30 -0500
From: Steven Bellovin <smb@research.att.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 13 Dec 1996, David B. Donahue wrote:
> In this way, even though the underlying password wasn't read-able in
the
> cookie,
> because all cookie passwords (in this config) are decrypted the same
> way, the
> encypted password simply becomes the password.
You are correct, but the encrypted cookie approach has one major
improvement over clear text passwords via WWW basic authenticate or
form fields ... humans have an tendancy to use the same password for
every service for which they choose passwords. Good encryption of
the password in cookie would prevent a hacker from using the password
to access other services available to the original end user.
A very important consideration.
Dave Morrix
If the cookie file, or lines of it, are stored encrypted under some key,
it's reasonably safe from theft, since that encrypted form is not transmitted.
