This is a question: is there a way for a user to change cookie values in a browser, for example, to replace his cookies (login and hashed password) with stolen ones and access the site under a stolen account ?? I save my login and password (BlowFish) in cookie, so I think how safe it is
- Well, at all possible. But this is already a problem for the user who has stolen cookies - there is nothing to download viruses. :) - intro94
- then what's the point of hashing a password? - user196554
- Why then protect a private house with a fence, if it can be climbed and the dog shot? This is what I mean - extra security. No one will ever give 100% protection, but you need to protect as much as possible. And the fact that the user will “give” his cookies to someone, is entirely and entirely the fault of the user. The developer, for his part, did everything - including encrypted pass. :) - intro94
|
1 answer
whether the user can change the browser cookie values in some way
can.
how safe is it
it is safe if you don’t have a way to retrieve another user’s password. Install it in cookies, but how can he know what to install?
The more cookies cookie .. but let's say check on 5-10 incorrectly entered values for 5-10 minutes has not been canceled .... You just check that if the password is not correct, do not give it to the user for 10 minutes .. and nobody else selects a password. Or just a captcha at authorization, if there is a cookie, then the user sees the captcha, if there are no cookies, then the captcha and the login and password fields.
All of course depends on how many other vulnerable scripts you have.
Lesiuk Alexey Lesiuk Alexey
944 one four ten
|