I would very much appreciate a primer on where my understanding of cookie security is wrong. Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?Actually, it is none of this. I am sure the password is encrypted and I do not know now what it is/was. I know nothing about the server, much less any salt and have no access to such information. I did not use any tools besides a browser. And the only thing I got was the string you provided me with.
What you missed about cookie security is simply this: if you browser needs certain information to remember you and keep you logged in, then my browser can use the same information to log me in as you.
I do not wish to change the login and cookie thingy - it is fine if we just remove the scripts. And it is safe in other ways, meaning that it is as hard or harder to simply guess your cookie without information as it is guessing your password in the first place.
You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.
|Replies are listed 'Best First'.|
Re: Hacking "explained"
by Aristotle (Chancellor) on Oct 22, 2002 at 12:56 UTC