#5080 - No longer use password hash as password cookie
-
By Chris Graham
- Added
- 7 views
| Identifier | #5080 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | No longer use password hash as password cookie |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Security (custom) |
| Handling member | Chris Graham |
| Addon | core_cns |
| Description | Composr, like many forum software, uses the password hash as a password cookie for "remember me" to work.
This is secure as you can't get the password back from the hash. However, it is not ideal because if the password cookie is stolen, the password must be reset in order for that to not work as a password cookie on another machine. There would be no way to force a mass-reset on all password cookies, for example. Additionally, there is a big security issue if hashing is turned off for some reason (definitely not recommended, but we do support that at user's own risk - e.g. for quick Intranet integrations). And finally, if it does become the case that hashing becomes reversable somehow (quantum computers? rainbow tables? bad hashing algorithms?) then a stolen password cookie would be convertable back to a password, and that password would then be known. Some software supports "login keys", which are just random keys on an account that are used for comparing against the same value stored in password cookies. We can do this too. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
There have been no comments yet