Re: PayPal security flaw

From: Ives Steglich (news_at_dalini.de)
Date: 12/20/03 

Date: Sat, 20 Dec 2003 11:32:48 +0100

Barry Margolin wrote:

> In article <m0ad5o3hbk.fsf@rcn.com>, comphelp@toddh.net (Todd H.)
> wrote:

>>True, but it doesn't excuse the poor coding practice if the page is
>>coded as the poster reports. There's no reason the password should
>>ever be stuck in a hidden form unhashed.

> Why does it matter that it's unhashed? Even if it's hashed, someone can
> copy it and send it in another browser session.

depends on the hash... if you hash the pwd+sessionid you can't ever use
it in another session... or with a timestamp or both - so you also have
timeout barriers inside a running session

ok, this scenario requires plain-text pwd on the server side, but this
problem is already solved - we have those - if one get it plaintext in a
hidden field...

anyway - usally should be enough to give the user its session id in a
hidden field... no password at all - the server should know if he is
already identifiedauthenticated

> Unless you want to make the user go through the password entry page
> again, the authentication info has to be saved on the client machine
> somewhere. It could be put in a cookie rather than a hidden field, but
> most browsers have a way to view all the cookies so that wouldn't really
> be any more protected.
>
if you inside a session - you can store those things server-side
and if a have a new session, the user have to provide the password
again...

Relevant Pages

  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • Re: web replication
    ... Session cookies relate to memory in the server, ... cookie, then yes it's a problem if one cannot be certain of which box ... , i'm actually studying the lvs documentation, ipvs via nat use nat to ...
    (comp.os.linux.networking)
  • Re: tracking logins
    ... You might wonder how after the login is complete that the server can ... By TCP/IP session. ... The server sends a cookie at login time, ...
    (comp.lang.java.programmer)
  • Re: RWW Timing
    ... I understand that you want to monitor when and how ... > to an internal Windows XP or Terminal Server computer. ... SBS creates a connection to the internal client on port 3389 which is ... But it can not tell which one session from the RWW, ...
    (microsoft.public.windows.server.sbs)
  • Re: $_SESSION problem - page reload creates new Session ID
    ... > set on a page just viewed because there is a new session created ... As fas as the server is concerned all requests are independant. ... cookie back to the server. ...
    (comp.lang.php)