Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Cookie based authentication: Is it secure?

by tilly (Archbishop)
on Aug 28, 2000 at 04:44 UTC ( [id://29943]=note: print w/replies, xml ) Need Help??


in reply to Cookie based authentication: Is it secure?

Ovid already explained the security issue.

Unless you encrypt the whole site (which is a huge performance hit) you should assume that any data sent in cookies is meant to be public and will be used by someone trying to break in. Think about that before passing passwords and credit card numbers around.

Currently standard https authentication will cost money in the US. However in a couple of months the RSA patent expires and you will be able to both legally and freely use mod_ssl with Apache. Outside of North America this patent does not hold and you can use mod_ssl without legal worries. Certainly things like credit card information should only be passed through https. (In fact as an anti-fraud measure VISA is introducing new standards that will disqualify any merchant that sends credit card information over http!)

An alternative for simple authentication that I find interesting is turning a form into http authentication like Hotmail does. Quite a few FAQs say that this is impossible, but it is not and I explained the procedure in Put name and password in URLs.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://29943]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (6)
As of 2024-03-28 20:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found