[3832] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (kaibay@skcc.co.kr)
Wed Dec 18 04:55:41 1996
Date: Wed, 18 Dec 1996 15:40:28 +0900
To: song@skcc.co.kr
From: "kaibay@skcc.co.kr" <kaibay@skcc.co.kr>
Cc: David Ray <daver@idiom.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 13 Dec 1996, David B. Donahue wrote:
> In this way, even though the underlying password wasn't read-able in the
> cookie,
> because all cookie passwords (in this config) are decrypted the same
> way, the
> encypted password simply becomes the password.
You are correct, but the encrypted cookie approach has one major
improvement over clear text passwords via WWW basic authenticate or
form fields ... humans have an tendancy to use the same password for
every service for which they choose passwords. Good encryption of
the password in cookie would prevent a hacker from using the password
to access other services available to the original end user.
A very important consideration.
Dave Morrix
=====================================================================
Chung, Dae-Gyun SI BUSINESS 1 TEAM
kaibay@mail.skcc.co.kr SK COMPUTER & COMMUNICATION
phone) +82-2-3469-8734 15F,POSCO CENTER,892,DAECHI-4DONG,
FAX) +82-2-3469-7000 KANGNAM-GU,SEOUL,135-284, KOREA
=====================================================================
