Site security: The user is either pulled from a fresh login or password cookie and is logged in (or if the password is incorrect then it is rejected)
invalid). + Leads to the disapproval of multiple failed logins.
Passed with password MD5 head and a random number.
My question is, is it unfair?
I understand that this is not absolutely safe anybody can access the user's cookies, hashed can break a cookie and then he knows the user password.
But is it quite safe and is it unethical in such a way that the plain text password stored anywhere is unethical?
This is destructive.
The correct (or at least one better) method is to create a server-side token that is random for a long time and is not indispensable enough and when the user logs in to the cookie Send it. When the server receives the cookie, check to see if it matches, and if so, the user validates to see the token against the list.
Some Miscellaneous Notes:
- You want to reset that token anymore, which makes a copy of the user's cookies by keeping someone unreliable access to your site If the token is, for example, older than one week, then create a new one and send it to the customer and expire the old one server-side.
- Treat a server-side token with the same security as a username and password, because it is considered an authentication mechanism. Do not keep in a table or file, accessible to everyone!
- For any transaction of destructive or top level confidentiality, make sure to re-verify the user through the username and password. For example, if the user wants to change his password, or if you use the e-mail password as a recovery mechanism and want to change his e-mail address, or if he wants to delete his or her account, Want to type their username and password to do this, even if the token is present.
You can check for more tips and best practices, but yes, send not passwords in any form, even if the customer was washed, Whether encoded or whatever, the customer
Comments
Post a Comment