As I've mentioned before, it's not that you have *your* password. It's that someone else can sniff your cookies (which are being sent over on every request, over unencrypted links, since most of us don't build our entire sites on HTTPS). Someone can easily sniff the cookie being sent, and figure out your password. And since a lot of people use the same password for more then one place, now the hacker has access to all the other places where you use the same password.
The point is, it's a security hole. And one that doesn't need to be there. I don't see why you would ever want to store sensitive information like userid and password in a cookie, even if it's hashed. -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 1:40 PM To: CF-Talk Subject: Re: pseudo-memory leak Alright, so you can find out what the hash is, so you have *your* password. Now how are you going to find the user ID of someone else (especially if it is an uuid) and figure out their password? Plus, once again you can seed the hash if you are worried about it. Sure, you have to think about security a little bit when using cookies, but to me, thats a small price to pay and worth the tradeoff not to use client vars. There just isnt much that I ever want to store in a cookie, the userid and password being one of the few examples. Anything else is just preferences like font size or something silly. But I would much rather think about security and use cookies than client vars. They are just too prone to problems imo. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Yea, I mentioned that before in the thread. Theoretically, hashing > should be 1 way (so there is no way to turn the hash back into the > value). But you could run a bruteforce against a hash, and be able to > figure out what the hashed value really is. You can also build a > table of all possible hashes, and then it just becomes a linear > search. (I know someone who's got the complete rainbow tables for > windows passwords, and is able to find any password within a few hours, I believe, if he's got the hash). > > > > -----Original Message----- > From: Kerry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 1:14 PM > To: CF-Talk > Subject: RE: pseudo-memory leak > > FYI, hashing something doesnt mean that it cant be extracted, why just > the other day my little 2Ghz workstation extracted a 5 character > password from a hash in about 5 minutes... > > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: 29 November 2005 09:43 > To: CF-Talk > Subject: RE: pseudo-memory leak > > > Normally you would HASH the data so it cannot be extracted and used or > changed. > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: 28 November 2005 23:40 > To: CF-Talk > Subject: RE: pseudo-memory leak > > Cookies are not very secure now, are they? Lets say I was going to > let the user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in > the cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, > they can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit > do they really offer? The only time I could see using them is when > you had something that you might think about storing in a cookie. I > rarely come across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225613 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
