Re: Secure Login

No, there isn't, and one isn't likely to be added any time terribly soon. The reason is that the insecurity isn't in HTTP being cleartext, but rather in the cookies not being as opaque as they should be.

(If you're interested in changing that fact, level 7 or higher, and trustworthy, you might want to consider becoming a pmdevil.)

Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

Comment on Re: Secure Login

Replies are listed 'Best First'.
Re^2: Secure Login by adrianh (Chancellor) on Jul 09, 2003 at 16:39 UTC
Making the cookie content more opaque wouldn't help. Snooping an opaque cookie is just as simple as snooping the login details or the plaintext cookie. Moving to an expiring key based authentication system with a secure login would reduce the window of opportunity for highjacking. Encrypting everything over https makes it more secure (if, of course, you trust the gods and pmdev). However, personally, for something like perlmonks I really don't think it's worth the effort or cost.	[reply]

Replies are listed 'Best First'.

Re^2: Secure Login
by adrianh (Chancellor) on Jul 09, 2003 at 16:39 UTC

Making the cookie content more opaque wouldn't help. Snooping an opaque cookie is just as simple as snooping the login details or the plaintext cookie.

Moving to an expiring key based authentication system with a secure login would reduce the window of opportunity for highjacking. Encrypting everything over https makes it more secure (if, of course, you trust the gods and pmdev).

However, personally, for something like perlmonks I really don't think it's worth the effort or cost.

[reply]